https://www.prohipaa.com/training/video/what-are-patients-rights-with-phi https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3541.mp4 What are Patients' Rights with PHI? In this lesson, we're going to go over patients' rights, what information requires authorization, what information does not require information, and give you a few examples along the way. At the end of the lesson, we'll provide you with an additional Word about patient health information privacy rights. Most of us believe that our medical information and other health information is private and should be protected, and many want to know who has this information. The HIPAA Privacy Rule gives patients rights over their health information and sets rules and limits on who can look at and receive their protected health information. Covered Entities and Patients' Rights Pro Tip #1: All covered entities are required to provide individuals a private practice policy if requested at all times. Healthcare organizations' private practice policy should describe several things, including: How medical information about the patient will be used and disclosed How patients can get access to their medical information if it is requested The process for patients to use when filing complaints regarding their PHI What types of uses and disclosures of PHI are permitted What types of uses and disclosures require authorization These patient rights include asking for a copy of their healthcare provider's rights and privacy policies when they visit their primary physician or local hospital. All patients are entitled to see or get a copy of his or her own medical records that each healthcare practice or organization keeps. Pro Tip #2: All covered entities must provide an accounting of all protected health information disclosures that are made for treatment, payment, and healthcare operations during the prior six years upon request. This includes all financial records as they are tied to the healthcare services. One important caveat for patients: If you are receiving medical care while also paying for your own medical services, you are not required to disclose any protected health information with your health plan. Patient Authorization Pro Tip #3: Patient authorization is necessary for covered entities, like healthcare organizations, to obtain an individual's personal health information and billing information for purposes other than treatment, payment, or healthcare operations. However, it is not required in order for the patient to receive treatment. And as you'll see below, there are some exceptions that should be noted. A common question many physicians have is: Can I see a patient without getting written authorization? The answer is, yes, you can. However, it's a good idea to update their medical records and make a note of that when or if it happens. Sharing Patient Information Without Authorization: Referrals and Treatment: When referring a patient to another healthcare provider, you do not need written authorization from the patient to share their health information necessary for treatment purposes. Worker’s Compensation and OSHA: In the event of a worker’s compensation claim or a directive from OSHA, physicians can provide patient information without the need to receive authorization from the patient. Other circumstances that do not require patient authorization are situations when there's a need to alert law enforcement officials of an imminent danger, either to the patient himself/herself or if the patient is a danger to others. An example of this would be trying to protect a minor from abuse. If you're a physician who suspects abuse, you are authorized to report it. Another example: The HIPAA Privacy Rule allows covered healthcare providers to disclose protected health information about students to school nurses, physicians, or other healthcare providers for treatment purposes without requiring authorization of the student or the student's parents or guardians. For instance, a student's primary care physician can discuss a student's medication or other healthcare needs with a school nurse who will administer medications and provide care to the student while he or she is at school. A Word About Patient Health Information Privacy Rights For patients, knowing their rights is the first step to protecting them. How can Patients get Their Health Information? As noted at the beginning of this lesson, patients can ask to see or get a copy of their medical records and other health information. However, if they want a copy, they may have to put their request in writing and pay for the cost of copying and mailing. In most cases, their copies must be given to them within 30 days. How can Patients Change Their Health Information? Patients can ask to change any wrong information in their file or add information if they think something is missing or incomplete. For example, if a patient and his or her hospital agree that the file has the wrong results for a test, the hospital must change it. Even if the hospital believes the test result is correct, patients still have the right to have their disagreement noted in their file. In most cases, the file should be updated within 60 days. How can Patients Know Who Has Seen Their Health Information? By law, patients' health information can be used and shared for specific reasons not directly related to their care, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in the patients' area, or reporting as required by state or federal law. In many of these cases, patients can find out who has seen their health information. Patients have two options: Learn how their health information is used and shared by their doctor or health insurer. Let their providers or health insurance companies know if there is information they do not want to share. https://d3imrogdy81qei.cloudfront.net/video_images/6325/what-are-patients-rights-with-phi.jpg Yes 162 https://www.prohipaa.com/training/video/privacy-and-security-rules https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3540.mp4 Privacy and Security Rules In this lesson, we're going to cover the HIPAA Privacy Rule and the Security Rule. We'll dig into the three safeguards – administrative, physical, and technical – and include rules and examples for each. The HIPAA Privacy Rule establishes standards for protecting patients' medical records and other protected health information (PHI). It specifies two important things: What rights patients have over their information and requires covered entities to protect that information. What usage and disclosures are authorized or required. The privacy and security rules allow healthcare providers to share PHI electronically for treatment purposes as long as they apply reasonable safeguards when doing so. A couple of examples of this would be when a physician consults with another physician by secured email regarding a patient's condition, or when a healthcare provider exchanges PHI through electronic medical records for patient care. Covered entities need to engage in safeguards to protect this information. These safeguards include: Administrative safeguards Physical safeguards Technical safeguards Pro Tip #1: All covered entities need to perform risk analyses to determine what measures need to be taken to reduce risks and vulnerabilities to an appropriate level. Administrative Safeguards Administrative safeguards include office rules and procedures that help keep protected health data secure. To accomplish this, covered entities should designate security officials who are responsible for the following: Developing and implementing that covered entity's security policies and procedures Determining who should be authorized to access PHI Training all staff in these security policies and procedures Applying the appropriate sanctions against workforce members who violate those policies and procedures Performing periodic risk assessments of how well the security policies and procedures are meeting the requirements of HIPAA's Security Rule Example of Administrative Safeguard An example of an administrative safeguard would be allowing only office managers to send protected health information in electronic form. Physical Safeguards Physical safeguards under the HIPAA Security Rule include the following: Limiting physical access to all facilities while also ensuring that only authorized access is allowed Implementing that covered entity's policies and procedures specify the proper use of access to computers and/or the position of screens and monitors in all patient areas Putting into place policies and procedures regarding the physical transfer, removal, disposal, and reuse of all electronic media, such as computer hard drives Example of Physical Safeguard An example of a physical safeguard would be keeping all patient files in a locked room that only specified and authorized personnel have access to. Technical Safeguards Technical safeguards under the HIPAA Security Rule include the following: Implementing all hardware, software, and/or procedural mechanisms to record and examine access and other activities in all information systems that contain or use protected health information Implementing policies and procedures to ensure that electronic measures are put in place to confirm that all protected health information is not improperly altered or destroyed Implementing technical security measures that guard against unauthorized access to all PHI that is transmitted over an electronic network Example of Technical Safeguard A couple of examples of technical safeguards would be using data encryption and also strong passwords to better protect files from unauthorized access. Pro Tip #2: HIPAA's Privacy Rule gives much-needed flexibility to healthcare providers and plans to create their own privacy policies that are tailored to fit their size and needs. However, no matter the size of the covered entity, whether that entity is a small optometrist office or a large hospital with thousands of employees, each covered entity is required to have a written privacy policy. In general, all covered entities must do everything they can to secure all patient records that contain personally identifiable information so that information isn't readily available to those people who do not need it. You may recall the list of those 18 PHI identifiers that we provided in the last lesson. Also, covered entities must always release only as much protected health information as is necessary to address the specific needs of the entity that is requesting the information, or what the HIPAA regulation refers to as the minimum amount necessary to satisfy the inquiry. You might also recall from the last lesson, that when it comes to transmitting or sharing protected health information, less is always more. https://d3imrogdy81qei.cloudfront.net/video_images/6323/privacy-and-security-rules.jpg Yes 247 https://www.prohipaa.com/training/video/hipaa-breaches-violations-and-penalties https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3542.mp4 HIPAA Breaches, Violations and Penalties In this lesson, we'll be taking an introductory look at HIPAA data breaches, violations, and penalties. And at the end of the lesson, we'll look at some of the more recent healthcare data breaches and what caused them. In 2008, total HIPAA breach fines were a scant $100,000. And while this may sound like a pretty good amount of money, we've seen these data breach fines jump up every year in ways that may shock you, culminating with a record year in 2017, which no doubt will be broken once 2018's figures are calculated. Here's a look at how those data breach fines have been growing exponentially:   2008 $100,000   2010 $1.3 million   2012 $4.8 million   2014 $7.9 million   2016 $20.7 million   2017 $23 million   2018 $28.6 million         As you can see, not only has there been a steady increase in fines every year, but they've been increasing at a pace beyond rapid. Pro Tip: It's important for covered entities to have policies and procedures in place. One way to do this is by creating a Book of Evidence. Not only is this a HIPAA requirement, but it can help protect businesses in case of a data breach, violation, or audit. We'll be digging into the Book of Evidence in a subsequent lesson. You may recall from the corresponding video for this lesson, how an employee had sticky notes containing passwords in her workstation and in plain sight. This would be an obvious violation of HIPAA security policies and an obvious example that common sense is actually pretty uncommon. If like the person in the video, you also can't remember passwords, find a better way to keep them handy and secure, rather than just handy. Putting those sticky notes under your keyboard may seem like a good place, but that's kind of like putting your house keys under your welcome mat or your car keys on top of the visor – in other words, places thieving people will no doubt look. And since you are required by law to have passwords in order to access PHI, make sure those passwords are complex and your storage location secure. A Word About Recent Healthcare Data Breaches This Word section is simply to provide you with an idea of how common, varied, and potentially devastating these data breaches can be, by highlighting a few of the more recent healthcare data breaches, as of the end of the year 2019. New Mexico Hospital Discovers Malware on Imaging Server Discovered on November 14, 2019 Roosevelt General Hospital in Portales, New Mexico recently discovered malware on a digital imaging server used by its radiology department. The malware may have allowed cybercriminals to gain access to the radiological images of around 500 patients. The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server in order to prevent further unauthorized access and block communications with the attackers' command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected. The investigation into the breach did not uncover any evidence to suggest that PHI and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out. CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries Discovered on December 4, 2019 The Centers for Medicare and Medicaid Services (CMS) recently discovered a bug in its Blue Button 2.0 API that exposed the PHI of around 10,000 Medicare beneficiaries. Access to the Blue Button API was temporarily suspended while the CMS completed a comprehensive code review. On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated. The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined that 30 applications were impacted by the bug, in addition to the thousands of people whose PHI was exposed. Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches Discovered on November 6, 2019 The State of Colorado recently notified 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error. The error occurred on a Colorado Department of Human Services mailing of notices to reapply for food and cash assistance programs. The error was discovered on November 6, 2019. The investigation revealed 10,879 notice to reapply forms had been sent out that contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms. The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed. Some Important Points While these data breach incidents aren't likely to make national headlines the way other healthcare data breaches involving millions of people have over the last year, they are still important for a couple of reasons: Frequency – These all happened in the last several weeks of 2019, which begs the question: how often is too often? How they occurred – All three of these breaches were caused in different ways – malware, a computer bug, and a mailing error. While it would be easy to chalk up data breaches to hackers and cybercriminals, the truth is that human/employee error accounts for a large number of them as well. https://d3imrogdy81qei.cloudfront.net/video_images/6327/hipaa-breaches-violations-and-penalties.jpg Yes 94 https://www.prohipaa.com/training/video/why-cybercriminals-want-phi https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3543.mp4 Why Cybercriminals Want PHI In this lesson, we'll be covering why cybercriminals want PHI, the value of PHI on the black market, and some examples of what ransomware looks like. We'll also show you some ways you can protect PHI and ePHI and what your obligation is in the event of a data breach at your place of employment. And at the end of the lesson, we'll have a one question quiz that we're certain you'll pass. As of 2019, the healthcare industry has the 4th largest number of data breaches among the top five business sectors in the U.S. These sectors include, in order of the number of breaches from highest to lowest: Financial services Retail Government Healthcare Manufacturing Since healthcare ranks as high as it does for data breaches, it's important that you actively protect PHI and ePHI at all times. The Value of PHI on the Black Market When credit card numbers and bank account numbers are stolen, their lifespan is very short, as they're only useful until the victim cancels the card or closes the account. Pro Tip #1: The information contained in medical records is much more valuable than credit card numbers and bank account numbers and has a much broader utility. This information can be used to commit multiple types of fraud and/or identity theft and (here's the important part) does not change even after it has been compromised. You can't cancel your social security number, for instance. For this reason, the value of this type of personal data to cybercriminals is much higher than credit card numbers and bank account information alone. This information in a vacuum only has a selling price of $1 to $2 in the underground market. However, when a single credit card number is stolen and sold as part of a complete identity profile, that price in the underground market increases dramatically and jumps to around $720. As we've learned from recent Equifax breaches and the WannaCry ransom attacks, along with dozens or hundreds of lesser profile electronic attacks, PHI is extremely valuable to cybercriminals who can create and sell these identity packages on the dark web. How You Can Help Protect PHI The reasons outlined above is why it's so vital that you actively protect PHI and ePHI at all times. Over the last few years alone, and just using ransomware cases as an example, these types of cybersecurity threats have increased by more than 500 percent. Platforms used for ransomware attacks are platforms you likely use daily at work (professionally and personally while at work) and include: Business applications USB drives Social media Website attachments Email Warning: Be especially cautious when using USB drives, as they are usually used in multiple locations and can therefore become infected easily, as well as spread those infections equally easily. Having said that, email is still the most common offender and medium for distributing ransomware and other potentially harmful bugs and viruses. When it comes to email, there are two places to be especially aware of as far as viruses go: Around 38 percent of all viruses come embedded in the email itself, which means just opening the email is enough to possibly contribute to a data breach. Around 28 percent of all viruses come inside an attachment, which is why you never open an attachment from a recipient you don't know. However, … Pro Tip #2: There is no reason to get to the suspicious attachment stage. If you ever receive a suspicious-looking email, DO NOT OPEN IT! Simply delete it and notify those in your organization responsible for such things, like your compliance officer, IT company, and so forth. You may recall the example in the corresponding video for this lesson. The employee notices that an email looks weird and asks her manager what she should do. The manager shows her the proper way to handle such an email – mark it as junk and then empty the junk folder. The other important lesson from the video example is letting your privacy officer know when you receive a suspicious email, in case other employees receive the same email. It only takes one instance of an employee opening an email containing a virus that can lead to a data breach. Quiz: You just received a strange-looking email; what do you? I do not open it I delete the email I notify my manager, privacy officer, etc. All of the above If you answered D, congratulations! You just demonstrated uncommon sense. Seriously though, it's about good decision making and making those good decisions habitual. https://d3imrogdy81qei.cloudfront.net/video_images/6329/why-cybercriminals-want-phi.jpg Yes 193 https://www.prohipaa.com/training/video/welcome-to-prohipaa https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3534.mp4 Welcome to ProHIPAA Welcome to your HIPAA compliance training course at ProHIPAA. This course is for anyone who needs a greater understanding of the importance of safeguarding Protected Health Information (PHI) and the ways in which you can do that, whether you're a trusted medical professional or a business associate who supports a medical professional or healthcare organization. In this course, you'll learn: Why cybercriminals want protected health information All the HIPAA/HITECH requirements The current state of HIPAA compliance This course also includes sections on: Why PHI is valuable Recent data breaches Current industry fines The importance of encrypted email Your responsibilities under the HIPAA law Keep these in mind as you proceed through this course, as well as a few important course objectives: The importance of government regulations The current state of HIPAA/HITECH and your obligations under the law How you can better protect and properly handle all PHI and ePHI Thanks for choosing ProHIPAA. Let's begin! A Word About PHI (Protected Health Information) Since safeguarding PHI is the entire reason for HIPAA's existence, let's take a closer look at what constitutes Protected Health Information. PHI is that health information that can identify an individual to whom the information belongs to. HIPAA's Privacy Rule was established to help protect PHI while in the care of either covered entities or business associates. This includes whether a covered entity or business associate is sending, receiving, or storing this information. Covered Entities and PHI A covered entity is: A healthcare provider that conducts administrative and financial transactions in electronic form. A healthcare clearinghouse. A health plan. The most common examples of a covered entity are your doctor's office and your dentist's office. Business Associates and PHI HHS.gov defines a business associate as, “A person or entity (other than a member of the covered entity's workforce) that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information.” A common example of a business associate would be a third-party billing service that handles payment transactions on behalf of your doctor's or dentist's office. What Information is Considered PHI? The two key elements to whether or not a piece of information can be considered PHI are: The H stands for Health, so the information in question must be healthcare-related. The information also must be identifiable. If the information in question cannot be used to identify the person it belongs to, then it isn't considered PHI. Common pieces of information that are identifiable are names, addresses, dates of birth, and social security numbers. Everything an identity thief needs. There are actually 18 HIPAA identifiers, which will be listed at the end of this section. Protected Health Information can include: Demographic info Medical records, lab reports, etc. Services and procedures Payment and billing info PHI can be found in three forms: Electronic form On paper Delivered orally/spoken HIPAA Identifiers Remember that for information to be considered PHI, it must be identifiable. Here are 18 identifiers as outlined in the Privacy Rule. Names (Full or last name and initial). All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. Dates (other than year) directly related to an individual. Phone numbers. Fax numbers. Email addresses. Social security numbers. Medical record numbers. Health insurance beneficiary numbers. Account numbers. Certificate and license numbers. Vehicle identifiers (including serial numbers and license plate numbers). Device identifiers and serial numbers. Web Uniform Resource Locators (URLs). Internet Protocol (IP) address numbers. Biometric identifiers, including finger, retinal, and voice prints. Full face photographic images and any comparable identifying images Any other unique identifying number, characteristic, or code, except the unique code assigned by the investigator to code the data. https://d3imrogdy81qei.cloudfront.net/video_images/6311/welcome-to-prohipaa.jpg Yes 98 https://www.prohipaa.com/training/video/hipaa-foundation-conclusion https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3546.mp4 HIPAA Foundation Conclusion In this lesson, we'll quickly recap what you've learned in your ProHIPAA course, and at the end of the lesson, you'll find a Word (or two) about HITECH – what it is, what the goals of the law are, and why it's important. We've gone over what the HIPAA and HITECH laws are, who manages the laws, and who is required to comply. You've learned about covered entities, business associates, and more about PHI than you probably thought possible, and for very good reasons as you now know. For those of you also taking the HIPAA for Leaders course, you'll learn more about HITECH and business associates in that course. Pro Tip: It's important to note that both covered entities and business associates share in the responsibility to protect personal health information at all times. If you are a covered entity doing all you can to be HIPAA compliant, but you're working with a business associate who isn't, this still poses a significant problem, as all it takes is one weak link in the chain. For this reason, it's important for all covered entities to ensure that each of their business associates is a trusted partner, has their best interest in mind at all times, and more importantly, is committed to protecting the health data of all of your customers and/or patients. We've covered what the value of PHI is on the black market ($700 when part of a larger identity package) and why cybercriminals want PHI. We've looked a little into areas where PHI can be compromised and even a few recent instances in which PHI was compromised. It's critical to always protect PHI, not only for the safety and security of your customers and patients but also for the legacy and operational integrity of your own business or organization. A data breach isn't just costly in terms of fines. It's also costly in terms of reputation and possible future revenue losses. Knowing that Your Organization is HIPAA Compliant – Priceless! If you don't feel confident in your business or organization's ability to become or remain HIPAA compliant, it pays to engage a trustworthy HIPAA compliance partner who can guide you through your HIPAA compliance journey. Even though you've now learned what it takes to become HIPAA compliant, you may still need helping getting there. And you certainly have a better understanding of the damage that could occur if your business or organization isn't compliant and suffers a data breach. If you ever feel like you need further assistance, as in a HIPAA compliance guide who can navigate you through those muddy waters, contact us ProHIPAA.com or call us at 844-722-8898. Thank you, and remember that we're always here to help you. A Word About HITECH The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was introduced during the Obama administration and signed into law on February 17, 2009. The Goals of the HITECH Act The HITECH Act was established to promote and expand the adoption of health information technology, specifically, the use of electronic health records by healthcare providers. The Act also removed some of the loopholes in the HIPAA Act by tightening up the language of HIPAA. This helped to ensure that all business associates were complying with HIPAA Rules, and when health information was compromised, notifications were sent to the affected individuals in a timely manner. Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules. The Importance of the HITECH Act Prior to the introduction of the HITECH Act, only 10 percent of hospitals had adopted electronic health records. In order to advance healthcare, improve efficiency and care of patients, and make it easier for health information to be shared between different covered entities, electronic health records needed to be adopted. The HITECH Act introduced incentives to encourage hospitals and other healthcare providers to make the change from paper records to electronic records. Had the Act not been passed, there is a good chance that many healthcare providers would still be using paper records today. The HITECH Act also helped to make certain that healthcare organizations and their business associates were complying with the HIPAA Privacy and Security Rules, were implementing safeguards to keep personal health information private and confidential, were restricting the uses and disclosures of health information, and were honoring obligations to provide patients with copies of their medical records upon request. The Act did not make compliance with HIPAA mandatory. That was already a requirement. However, it did make certain that entities found not to be in compliance could be issued substantial fines. Penalties help increase compliance, and sometimes the only language that businesses understand is one that affects the bottom line. https://d3imrogdy81qei.cloudfront.net/video_images/6335/hipaa-foundation-conclusion.jpg Yes 77 https://www.prohipaa.com/training/video/hipaa-social-media-mobile-devices-email-and-faxes https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3544.mp4 HIPAA and Social Media, Mobile Devices, Email and Faxes In this lesson, we'll be covering HIPAA law as it applies to social media, mobile devices, email, and faxes. And at the end of the lesson, we'll provide you with a brief Word about guidelines for properly disposing of protected health information, or PHI. HIPAA Law & Social Media HIPAA law covers all PHI in electronic formats (also known as ePHI). This includes the following social media platforms: Facebook Twitter Snapchat Instagram Any and all others Pro Tip #1: While we as a society find it absolutely necessary to share everything on social media these days – including contrary opinions and meals we're about to consume – never under any circumstance should you disclose patient information, like names and treatments, on any social media platform. Remember, though we're sure you know better, common sense is not all that common, which is why these things need to be said. And why we have to also note that if you do any of the above, you could be personally liable financially and criminally for disclosing any protected health information on social media platforms. HIPAA Law & Mobile Devices Mobile devices include but are not limited to: Smartphones Tablets Laptops Pro Tip #2: While disclosing PHI on social media is always a no-no, mobile devices can be used to share protected health information IF appropriate safeguards are in place. What does IF mean? In short, we're referring to encryption. If you are sharing PHI on mobile devices, you have to use an encrypted texting or chatting platform. You cannot simply just pick up your phone and text PHI to a doctor, nurse, health plan, insurance company, etc. Why can't you do this? Because standard texting platforms: Have only limited encryption Are not HIPAA compliant Use a cloud that stores all text messages HIPAA Law & Email Platforms Standard email platforms are also not compliant according to HIPAA, and these include: Gmail Hotmail AOL (which may or may not be extinct) Yahoo! Any local IT provider's email platform All emails sent through the above free platforms are subject to automated processing. Your email and sensitive patient data will be scanned for targeted advertising when using those platforms. Pro Tip #3: It's important to note that while Google has chosen to not sign a business associate agreement (BAA) when using their Gmail platform, their paid service – G Suite – has signed BAAs. Other paid email platforms may also be acceptable, like Microsoft Office 365. The key is the provider's willingness to sign a business associate agreement. HIPAA Law & Faxes Faxes are an approved and HIPAA compliant means of sending PHI. However, you still need to be mindful when doing so. This means always using a cover sheet before sending a fax that contains protected health information. What if you send a fax containing PHI in error? If this happens, you need to contact the receiver and notify them to destroy the fax. Likewise, if you receive a fax containing PHI in error, you must notify the sender and also destroy the information. A Word About guidelines for Properly Disposing of PHI Disposing of PHI is of the utmost importance, particularly in our modern digital world where deleted tweets aren't really ever gone. The following PHI disposal guidelines should ensure that you and your organization remain HIPAA compliant. Shred all hard copies containing PHI when the copies are no longer needed Place hardcopies to be recycled in locked recycle bins if available Delete all soft copy files containing PHI from your computer and from the server when the information is no longer needed within the record retention requirements Destroy all disks, CDs, etc., that contained PHI before disposing of them Do not reuse disks or CDs that contained PHI without sanitizing them first Contact your IT department before transporting or transferring equipment for proper procedures to move equipment and to sanitize hard drives and other media Return the PHI to the sender, if this requirement is stipulated in any contractual agreements https://d3imrogdy81qei.cloudfront.net/video_images/6331/hipaa-social-media-mobile-devices-email-and-faxes.jpg Yes 112 https://www.prohipaa.com/training/video/the-history-of-hipaa https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3535.mp4 The History of HIPAA In this lesson, we'll dig a little deeper into what HIPAA is, what it covers, the evolution of protecting healthcare patient data, and the benefits that this legislation produces. In the 1990s, as the internet was coming onto the scene and growing rapidly, congress recognized the need to establish a system that would help enforce the rights of patients and at the same time, protect the privacy of their medical records. This need and the realization of it led to the creation of the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. Eventually, additional layers of protection would follow with more legislation. As health records were becoming digitized, this led to the HITECH Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act of 2009. And finally … The Omnibus rule of 2013 expanded how technology companies protected healthcare data, while also enforcing the security and policies set forth by the Health and Human Services Office for Civil Rights. This important U.S. legislation provides data privacy and security provisions for safeguarding medical information. It includes the portability of insurance information between covered entities and providers to insurance companies. And it covers the protection and privacy of healthcare information transmitted electronically. Obvious benefits of such legislation include helping to improve the standardization and efficiency in healthcare data and helping to prevent discrimination and fraud. A Word About PHI Guidelines Remember, for information to be considered PHI – Protected Health Information – it must be healthcare-related and it must be identifiable, as in used to identify the person whose information it is. PHI can include demographic information, medical records, services rendered, and payment and billing information. And more importantly, as it pertains to this section, PHI can be: In electronic form In paper form Orally delivered And now let's turn from the theoretical to the practical with a question: What can covered entities and business associates do to better protect this information? It depends on how the information was delivered or in what form it currently resides. But whatever form that PHI takes, we have a set of guidelines that will help you protect it. (On a side note, if you were longing for some lists, you're going to be very excited.) In-Person Conversations Guidelines Discuss Patients PHI in private. Use an office with a door whenever possible or leave areas where others can overhear. Be aware of those around you and lower your voice when discussing a patient's health information. If possible, point out health information on paper or on-screen nonverbally when discussing a patient's health information. Telephone Conversations Guidelines Follow the above guidelines plus … Don't use names; instead say "I have a question about a patient." Never give PHI over the phone when talking to unknown callers. Never leave PHI on voice messages. Instead leave a message requesting a return call to discuss a patient, and leave only your name and phone number. Do not discuss PHI over unencrypted cellular or portable (wireless) phones or in an emergency, as the transmissions can be intercepted. Texting Guidelines Use a secure text messaging system. Develop, document, and implement your organization's mobile device policies and procedures to safeguard health information. Faxing Guidelines Put fax machines in a safe location. That means in places where people don't have access to them who shouldn't. Use a cover sheet clearly identifying the intended recipient and include your name and contact information on the cover sheet. Do not include or reference any PHI on the cover sheet. Confirm the fax number is correct before sending. Whenever possible, send all faxes containing patient health information only when the authorized recipients are there to receive them. Verify that the fax was received by the authorized recipient; check the transmission report to ensure the correct number was reached and, when necessary, contact the authorized recipient to confirm receipt. Deliver received faxes to the recipient as soon as possible. Do not leave faxes unattended at the fax machine. Emailing Guidelines Do not include PHI in the subject line or the body of an email. Transmit PHI only in a password-protected attachment. (MS Word and MS Excel both provide password protection.) Include a confidentiality attachment in any emails that contain attachments with PHI. Do not send attachment passwords in the same email as the attachment. Include your contact information (at minimum, your name and phone number) as part of the email. Set email sending options to request an automatic return receipt from your recipients. Request that email recipients call to discuss specific patient data. Do not store emails or email attachments with PHI on your hard drive. Instead, copy and store to a secure server. Delete all emails and their attachments when they are no longer needed. Courier and Regular Mail Guidelines Use sealed and secured envelopes to send PHI. Verify that the authorized person accepting the package has received it. Deliver all mail promptly to the recipient. Mailboxes must be in safe areas and not located in public or high-traffic areas. Inter-Office Mail Guidelines Put PHI in closed inter-office envelopes. As an added precaution, put PHI in a sealed envelope first. Identify the recipient by name and verify the mail center address. Distribute inter-office mail promptly to recipients. Do not leave it unattended in mailboxes. Where practical, use lockable containers (e.g. briefcases) to transport correspondence that contains PHI. https://d3imrogdy81qei.cloudfront.net/video_images/6313/the-history-of-hipaa.jpg Yes 83 https://www.prohipaa.com/training/video/how-to-be-proactive-to-be-hipaa-compliant https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3545.mp4 How to be Proactive to be HIPAA Compliant In this lesson, we're going to look at ways you can reduce the risks to your business as it pertains to data breaches. To this end, we'll show the 3 Pillars of Success that should help eliminate your risks and keep you HIPAA compliant. And at the end of the lesson, we'll provide you with a Word about the duties of a HIPAA compliance officer. There are several common issues we've seen over the years that greatly contribute to you or your organization not being HIPAA compliant, which increases your risk of suffering through a data breach. Those issues include: Your organization's and staff's understanding of HIPAA and HITECH laws Limited or no training on how to properly handle PHI, including ePHI and oral conversations A lack of risk assessments to help identify your risks to PHI A limited, or no, Book of Evidence that includes your organization's policies and procedures Not using the proper business associate agreements (BAAs) The use of Gmail, Yahoo, MSN, AOL, and other unsecure platforms for the transmission of PHI So, how can you and your organization be more proactive at reducing your risks and becoming more HIPAA compliant? You can institute what we describe as the 3 Pillars of Success The 3 Pillars of Success The 3 Pillars of Success are: Risk Assessments A Book of Evidence Compliance Training Let's look at each of these in more detail. Risk Assessments Your business or organization must perform a regularly scheduled compliance risk assessment. We recommend doing this on at least an annual basis to ensure that all staff understand any changes within your organization and/or business environment that could contribute to it being less secure. A Book of Evidence A Book of Evidence is a basic HIPAA requirement and contains all of your organization's policies and procedures on handling PHI and ePHI, including, among other things, your business continuity plan, data breach plan, and how to handle unauthorized access of protected health information. Compliance Training Compliance training is an essential part of any security plan and ensures that you and your staff understand how to better protect PHI and follow all of your organization's policies and procedures. The human firewall is the best kind of firewall, but it cannot properly function without training and education. The more you and your employees understand the risks involved and how to handle PHI, the better your organization's chances of reducing the risks of data breaches and the subsequent risks to your business. A Word About the Duties of a HIPAA Compliance Officer HIPAA requires that one or more people within a covered entity or business associate is assigned the duties of a HIPAA Compliance Officer. How much work is involved depends on the size of the covered entity or business associate along with the amount of PHI involved. And in smaller organizations, it is often the case that the duties of a HIPAA Compliance Officer are divided between a Privacy Officer and a Security Officer. (Our crystal ball says that we'll be digging into these roles in later lessons.) The typical duties of a HIPAA Compliance Officer include: Gaining a thorough knowledge of the HIPAA Privacy and Security Rules and the solutions available that will allow him or her to develop a HIPAA compliance program. After developing a HIPAA compliance program, the compliance officer should document progress towards its implementation, which would include creating a system that enables the officer to monitor the status of the organization's HIPAA compliance. That system should allow the officer to prioritize efforts towards compliance and communicate priorities to others in the organization. It should also act as a conduit through which compliance concerns can be raised and organizational changes coordinated. The HIPAA Compliance Officer is responsible for developing training programs and executing training courses. These should be designed to help employees understand HIPAA compliance and how any changes implemented will affect their specific duties. The HIPAA Compliance Officer is also responsible for monitoring the Department of Health & Human Services' and their state's regulatory requirements. When new regulations or guidelines are introduced, the officer must adjust their organization's HIPAA compliance program to reflect those changes. It's important to understand that HIPAA regulations do not define exactly what the duties of a HIPAA Compliance Officer are. Instead, HIPAA leaves it to each covered entity or business associate to establish their own duties according to their specific requirements. Thus, in order for an organization to effectively establish the duties of a HIPAA Compliance Officer, it is necessary for that organization to first understand what those specific requirements are. And part of that would entail undertaking a risk assessment. https://d3imrogdy81qei.cloudfront.net/video_images/6333/how-to-be-proactive-to-be-hipaa-compliant.jpg Yes 107 https://www.prohipaa.com/training/video/what-is-hipaa https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3933.mp4 What is HIPAA? In this lesson, you'll learn what HIPAA is, the role it plays in healthcare, and who is mandated to follow its requirements, along with relevant real-world examples. What is HIPAA? HIPAA is an acronym that stands for – Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark act to provide the following: The portability of insurance The protection and privacy of healthcare information The standardization and efficiency in healthcare data The prevention of discrimination and fraud What is HIPAA's Role in Healthcare? HIPAA gives the U.S. Department of Health and Human Services the responsibility of adopting rules to help individuals and companies keep important health information private. HIPAA protects against unauthorized disclosure of any protected health information that pertains to healthcare patients. HIPAA establishes a national set of security standards for protecting certain health information that is held or transferred electronically. In addition to privacy and security, administrative provisions were also included in HIPAA to improve the efficiency and effectiveness of the healthcare system. These provisions include: Specific transaction standards and code sets A national standard of unique identifiers for employers, health plans, and healthcare providers Data security and electronic signatures Pro Tip #1: HIPAA compliance is highly dependent on the size, function, administration, and type of entity or business association. Therefore, this training module is not intended to be a comprehensive HIPAA compliance guide. Warning: Entities and business associates that are regulated by HIPAA's privacy and security rules are obligated to comply with all federal and state requirements and should not rely on this training alone as a source of legal information or advice. In addition, to ensure compliance with HIPAA, covered entities and business associates should regularly perform a risk assessment to track access to PHI and periodically evaluate the effectiveness and security measures that have been put into place. Who is Mandated to Follow HIPAA's Requirements? HIPAA law applies directly to two particular groups known as covered entities and business associates, and these can include: Healthcare providers Health plans Healthcare clearinghouses Tech companies Cloud service providers Anyone with access to PHI What is a Healthcare Provider? A healthcare provider is any provider of medical or other health services or any organization or person who transmits health information in electronic form. This includes organizations and individuals who provide billing services or are paid in connection to services in the course of doing business. Common examples include: Physicians Dentists Optometrists Nurses Mental health providers Radiology centers Chiropractors Psychologists Pharmacies Durable Medical Equipment (DME) providers Hospitals Ambulance companies Home healthcare workers Social workers What is a Health Plan? A health plan is any individual or group plan that provides or pays the cost of healthcare services, such as an HMO, an insurance company, and Medicaid and Medicare. What is a Healthcare Clearinghouse? A healthcare clearinghouse is a public or private entity that processes healthcare transactions from one form to another in a required format. An example would be a third-party billing service that ensures that all information between a doctor's office and an insurance company complies with all HIPAA requirements. Pro Tip #2: HIPAA applies to employers only to the extent that they operate in one of these three groups. Furthermore, the same standards apply to covered entities in both the public and private sectors. If a company offered healthcare services and treatment to employees onsite – like an onsite clinic – the employer would be a covered entity and would be required to follow all HIPAA requirements. What is a Business Associate? A business associate is any company or individual with direct or incidental access to PHI or ePHI. Business associates are required to have in place: A risk assessment plan Proper training Specific policies and procedures Examples of business associates include: IT vendors Call centers Court reporters Cloud providers Legal services providers Suppliers and manufacturers with access to PHI and ePHI Business associates have the same requirements as covered entities to protect PHI and are required to notify covered entities of any potential and/or active data breaches. Business associates must also comply with HIPAA requirements by signing a contractual agreement with the covered entity – known as a Business Associate Agreement (BAA). The BAA states that a business associate will only use protected health information for proper purposes and will safeguard it from misuse. Business associates must also comply with all HIPAA security requirements and will ensure administrative, physical, and technological safeguards are in place. If a business associate violates the BAA, they will be in violation of the contract with the covered entity and in violation with HIPAA. In which case, the business associate will be held accountable for all penalties from both violations. Pro Tip #3: If a business associate uses subcontractors, HIPAA requires contractual agreements between them. Subcontractors are held to the same HIPAA requirements when it comes to protected health information. https://d3imrogdy81qei.cloudfront.net/video_images/7075/what-is-hipaa-new.jpg Yes 316 https://www.prohipaa.com/training/video/important-hipaa-terminology https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3537.mp4 Important HIPAA Terminology This lesson is all about learning some important definitions to better help you understand HIPAA terminology. There will, of course, be a little repetition. HIPAA Health Insurance Portability and Accountability Act of 1996. HITECH Health Information Technology for Economic and Clinical Health Act of 2009. Pro Tip #1: The goal of HITECH is to promote the adoption and meaningful use of health information technology and significantly expand the HIPAA privacy rule and security standards as new requirements concerning privacy and security of PHI are enacted. PHI Protected Health Information (patients’ personal and medical information). ePHI Electronic Protected Health Information. This includes all personal health information that is stored, and/or transmitted, electronically. Common examples of ePHI include: Faxes Emails Data backup Cloud providers Patient portals Removable media Secure texting Whether the health information is being stored or transmitted, it must be encrypted first. Business Associate Any person or organization that supports the healthcare industry in some fashion and performs functions and activities in support of a covered entity. Business Associate Requirements Per HITECH regulations, business associates are now legally required to be compliant with the HITECH Act. This includes assuming financial liability for any and all data breaches caused by their organization or employees. All business associates are required to have: A risk assessment Proper training A Book of Evidence Risk Assessment A set of government mandated questions to help organizations identify gaps in risk, to their organization and to the covered entities they serve. This includes a risk report with a road map to resolving any potential problems. There are three sections on a risk assessment along with three types of questions. Sections on Risk Assessment Administrative Technical Physical Types of Risk Assessment Questions Standard Required Addressable Standard questions measure a covered entity to ensure confidentiality, integrity, and availability of ePHI, while in the custody and care of covered entities and/or business associates. Pro Tip #2: Covered entities and business associates must comply with the applicable standards provided in the Security Rule with respect to all ePHI. Required questions are those that must be implemented by covered entities and/or business associates. Addressable questions, while not optional, do provide covered entities some additional flexibility with respect to compliance with the security standard. All organizations must determine their level of risk to PHI. If a risk is deemed reasonable, appropriate security measures will need to be applied. Book of Evidence The Book of Evidence is a customized book of policies and procedures that all organizations are required to create. The Book of Evidence illustrates how that organization handles all PHI and ePHI. This includes: Data breach notifications Disaster recovery policies Privacy and patient policies Privacy Policy A privacy policy explains how covered entities and business associates handle PHI. All covered entities are required by law to provide patients with a copy of their privacy policy upon request. Business associates must also be able to provide their privacy policies to both internal employees and external companies – also known as downstream suppliers – and for government audits. A Word About the Disposal of PHI The disposal of all protected health information (PHI) comes with its own set of requirements set forth by the HIPAA Privacy and Security Rules. These are steps that covered entities take when they dispose of PHI. Shred all hard copies containing PHI when the copies are no longer needed. Place hardcopies to be recycled in locked recycle bins if available. Delete all soft copy files containing PHI from all computers and from the server when the information is no longer needed within the record retention requirements. Destroy all disks, CDs, and other pieces of hardware that contained PHI before disposing of them. Do not reuse disks and/or CDs that contained PHI without thoroughly sanitizing them first. Contact the IT department for the proper procedures before transporting or transferring equipment and sanitizing hard drives and other media. Return the PHI (medical records) to the patient, if this requirement is stipulated in any contractual agreements. Many states impose requirements on covered entities to retain this information and make it available for a limited time, as is appropriate. Health and Human Services encourages all covered entities to consider the steps that other prudent healthcare organizations and health information professionals are taking to protect patient privacy in connection with record disposal. https://d3imrogdy81qei.cloudfront.net/video_images/6317/important-hipaa-terminology.jpg Yes 222 https://www.prohipaa.com/training/video/who-is-required-to-comply-with-hipaa-laws https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3536.mp4 Who is required to comply with HIPAA laws? In this lesson, we'll go over who's required to comply with HIPAA laws and the group the law directly applies to – covered entities. You may notice a bit of overlap from the lesson – What is HIPAA. Not to worry; it's all part of the secret sauce. Repetition is how we learn. Covered entities include: Healthcare providers Health plans Healthcare Clearing Houses What is a Covered Entity? A covered entity is any provider of medical or other health-related services, or a person that has access to protected health information. Examples include healthcare providers and health plans, but also organizations and individuals that provide billing services or are paid in connection with these services in the normal course of doing business. What is a Health Plan? A health plan is any individual or group plan that provides or pays the cost of healthcare services, such as an HMO, an insurance company, and Medicaid and Medicare. What is a Business Associate? A business associate is any company or individual with direct or incidental access to PHI or ePHI. Business associates are required to have in place: A risk assessment plan Proper training Specific policies and procedures Examples of business associates include: IT vendors Call centers Court reporters Cloud providers Legal services providers Suppliers and manufacturers with access to PHI and ePHI Business associates have the same requirements as covered entities to protect PHI and are required to notify covered entities of any potential and/or active data breaches. Business associates must also comply with HIPAA requirements by signing a contractual agreement with the covered entity – known as a Business Associate Agreement (BAA). A Word About Protecting PHI at Workstations At the end of the last lesson, we took a look at some guidelines and best practices for protecting PHI during communications, whether they be written, spoken, or electronic. In this section, we're going to tackle workstation use and workstation security and provide you with some guidelines for keeping them safe and secure. Along with workstation use and workstation security, there are two other standards when it comes to HIPAA's Physical Safeguards for protecting PHI – facility access controls and device and media controls. (Which we'll likely address in detail at another time.) HIPAA's Security Rule defines Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Workstation Use The HIPAA Privacy Rule defines a workstation as any "electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment." Inappropriate use of workstations increases a covered entities risk, including those pertaining to virus attacks and other breaches. To comply with the workstation use standard, HIPAA requires all covered entities to: "Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation of class of workstation that can access electronic protected health information." It should be noted that this workstation use standard also includes remote work environments – any work from a remote location (home, travel, satellite office) – where employees have access to ePHI. Workstation Security Workstation security is another standard that has been put in place to better protect PHI. This standard requires covered entities to: "Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users." So, what are some safeguards or guidelines that will help protect PHI and ePHI at workstations? What a well-timed question. Computer Workstation Guidelines to Protect PHI To help protect PHI at workstations, consider implementing the following strategies: Use password protected screen savers, and turn off computers, or at least log out of the network when not at your desk. Position computer monitors so they are not visible to others. Secure workstations and laptops with passwords. Change passwords on a regular basis. Do not leave laptops, other work-related devices, or PHI visible or unsecured in a car, home office, or in any public areas. Ensure that all PHI – including that used outside of the work environment – is protected using appropriate measures such as being stored in locked desks and file cabinets. Never remove original copies of PHI without your supervisor's approval. Store files that contain PHI on a secure server; not on your workstation hard drive. https://d3imrogdy81qei.cloudfront.net/video_images/6315/who-is-required-to-comply-with-hipaa-laws.jpg Yes 84 https://www.prohipaa.com/training/video/what-is-a-covered-entity https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3538.mp4 What is a Covered Entity? In this lesson, we'll go over some basics of covered entities – what covered entities are, some examples of covered entities, and what requirements covered entities all share. And at the end of the lesson, we'll provide you with a Word about the differences between covered entities and business associates. What is a Covered Entity? A covered entity is any provider of medical or other health services or people that have or handle PHI (protected health information). Covered entities include the following: Healthcare providers Health plans Organizations and/or individuals that provide billing services or are paid in connection with services in the normal course of conducting business Pro Tip: The key phrase to remember as it relates to covered entities, is that they handle PHI. This is the common element that all covered entities share. You may recall from a previous lesson that PHI is health information that can identify an individual to whom the information belongs to. HIPAA's Privacy Rule was established to help protect PHI while in the care of either covered entities or business associates. This includes whether a covered entity or business associate is sending, receiving, or storing this information. The two key elements to whether or not a piece of information can be considered PHI are: The H stands for Health, so the information in question must be healthcare-related. The information also must be identifiable. If the information in question cannot be used to identify the person it belongs to, then it isn't considered PHI. Common pieces of information that are identifiable are names, addresses, dates of birth, and social security numbers. Everything an identity thief needs. What are Some Examples of Covered Entities? The list of covered entities is quite substantial and includes the following: Physicians Optometrists Dentists Nurses Mental health providers Radiologists Laboratories Pharmacies Call centers Durable medical equipment providers Hospitals Ambulance companies Healthcare workers Case managers Social workers As you can see, the list of covered entities extends well beyond healthcare professionals themselves and even beyond healthcare institutions like hospitals and clinics. What is Required of a Covered Entity? A covered entity is required to comply with all of HIPAA's regulations. These would include the following: They are required to have risk assessments They are required to have compliance training for staff They are required to have a Book of Evidence that contains all the proper policies and procedures on how to handle PHI A Word About the Differences Between Covered Entities & Business Associates First, let's define what a business associate is. What is a Business Associate? A business associate is any business or person that provides a service for a covered entity, or a certain function or activity, when that service, function or activity involves the access to PHI that is maintained by the covered entity. Examples of business associates include, but aren't limited to: Lawyers Accountants IT contractors Billing companies Cloud storage services Email encryption services The key phrase from above that really defines a business associate is this: the access to PHI that is maintained by the covered entity. What (Again) is a Covered Entity? Remember, HIPAA covered entities are healthcare providers, health plans, and organizations – like healthcare clearinghouses – that electronically transmit health information for transactions covered by HHS' standards. Without going too far down the rabbit hole, health plans are defined as health insurance companies, company health plans, government programs that pay for healthcare, and HMO's. Healthcare clearinghouses are defined as transcription service companies that format data to make it compliant and organizations that process non-standard health information. Here is the key element to remember – even if an entity is a healthcare provider, health plan, or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. Remember, a business associate is an entity – either an individual or a company – that is provided with access to protected health information for the purpose of providing services for a HIPAA covered entity. Business associates are required to sign a contract with the covered entity, which is called a business associate agreement (BAA), that outlines the responsibilities of the business associate and explains what is required of them to comply with HIPAA Rules. (This is something we will tackle in more detail in a subsequent lesson.) So, what is the Difference? Covered entities have PHI (protected health information) while business associates merely have access to PHI. It's a bit of an ambiguous distinction, but an important distinction, nonetheless. https://d3imrogdy81qei.cloudfront.net/video_images/6319/what-is-a-covered-entity.jpg Yes 62 https://www.prohipaa.com/training/video/what-is-protected-health-information https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3539.mp4 What is PHI? In this lesson, we'll be going into some detail on what PHI is. At the end of the lesson, we'll dig into when PHI really isn't PHI, or in other words, exceptions to PHI. In a nutshell, PHI (protected health information) is any information that is individual to a patient – past, present, or future – about the care provided, whether physical or mental, for an individual. This can include documentation of doctor visits, charts and notes made by physicians and other healthcare staff, healthcare payment information, claim status, and the coordination of healthcare benefits. Pro Tip #1: It's worth noting that HIPAA covers all forms of PHI, including electronic, paper, and even oral/spoken. Many people forget that PHI is also covered under spoken word. Be especially mindful when disclosing healthcare-related information with anyone – other patients, staff, and business associates. You may recall from the corresponding video for this lesson that one patient overheard two healthcare employees talking about another patient's health information. When in doubt, always assume that someone might be listening. And do everything you can to make sure private conversations take place in private locations. Think of PHI the way you would classified information. You have been given clearance to see it. But it's your responsibility to keep it safe and from falling into the wrong hands at all times. A More In-Depth Look at PHI Under HIPAA rules and regulations, PHI is considered as any identifiable health information that is used, maintained, stored, or transmitted by covered entities and business associates. As mentioned above, PHI is health information in any form, including physical records, electronic records, or spoken information. This means that PHI includes health records, health histories, lab test results, and medical bills. Pro Tip #2: The key point to remember regarding PHI, is that to be considered PHI, it must include individual identifiers, such as patient names, social security numbers, driver's license numbers, insurance details, and birth dates, when they are linked with health information. Demographic information can also be considered PHI under HIPAA Rules. There are in total 18 identifiers for PHI and these include the following: Names Dates, except year Telephone numbers Geographic data Fax numbers Social security numbers Email addresses Medical record numbers Account numbers Health plan beneficiary numbers Certificate/license numbers Vehicle identifiers and serial numbers including license plates Web URLs Device identifiers and serial numbers Internet protocol addresses Full face photos and comparable images Biometric identifiers, such as retinal scans and fingerprints Any unique identifying number or code Can PHI be Disclosed for Public Health Activities? The short answer is, yes. However, it's limited to the CDC (Center for Disease Control and Prevention), public health authorities – federal or state – and OSHA. OSHA is unique because it can request information without authorization or the need to sign a business association agreement. Pro Tip #3: One caveat to remember, though, is that covered entities should reasonably limit the amount of PHI given in these circumstances to what is considered a necessary amount and nothing more. Remember, less is more when it comes to sharing personal health information. So, why would OSHA request PHI? They could do so in the event of a natural disaster or a state of emergency in an attempt to determine the demographics of an affected area. Perhaps they need to mobilize the national guard, first responders, or military personnel to aid such an emergency. It's important to remember, that if contacted by someone in the government about sharing PHI, you must ensure their legitimacy. Request relevant phone numbers and email addresses and ask for a written request. A Word About the Exceptions to PHI You may be tempted to think that all health information is considered PHI under HIPAA, but this isn't true, and there are some exceptions. One determining factor is who records the information. A good example of this would be health trackers, such as physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA rules if the information was recorded by a healthcare provider or was used by a health plan. However, under the HIPAA rules, this information only applies to HIPAA covered entities and their business associates. This means that if a device manufacturer or app developer hasn't been contracted by a HIPAA covered entity and also isn't a business associate, the information recorded would not be considered PHI under HIPAA rules. The same rules apply to education or employment records. Let's say a hospital holds data on its employees, which can include some health information like allergies or blood types. However, HIPAA rules do not apply to this type of information. Also, it's important to remember that under HIPAA, PHI ceases to be PHI if it's stripped of all identifiers listed above that can tie the information to an individual. When those identifiers are removed, the health information is technically referred to as de-identified PHI, and thus, HIPAA rules no longer apply. https://d3imrogdy81qei.cloudfront.net/video_images/6321/what-is-protected-health-information.jpg Yes 260 https://www.prohipaa.com/training/leaders/video/welcome-to-prohipaa https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3534.mp4 Welcome to ProHIPAA Welcome to your HIPAA compliance training course at ProHIPAA. This course is for anyone who needs a greater understanding of the importance of safeguarding Protected Health Information (PHI) and the ways in which you can do that, whether you're a trusted medical professional or a business associate who supports a medical professional or healthcare organization. In this course, you'll learn: Why cybercriminals want protected health information All the HIPAA/HITECH requirements The current state of HIPAA compliance This course also includes sections on: Why PHI is valuable Recent data breaches Current industry fines The importance of encrypted email Your responsibilities under the HIPAA law Keep these in mind as you proceed through this course, as well as a few important course objectives: The importance of government regulations The current state of HIPAA/HITECH and your obligations under the law How you can better protect and properly handle all PHI and ePHI Thanks for choosing ProHIPAA. Let's begin! A Word About PHI (Protected Health Information) Since safeguarding PHI is the entire reason for HIPAA's existence, let's take a closer look at what constitutes Protected Health Information. PHI is that health information that can identify an individual to whom the information belongs to. HIPAA's Privacy Rule was established to help protect PHI while in the care of either covered entities or business associates. This includes whether a covered entity or business associate is sending, receiving, or storing this information. Covered Entities and PHI A covered entity is: A healthcare provider that conducts administrative and financial transactions in electronic form. A healthcare clearinghouse. A health plan. The most common examples of a covered entity are your doctor's office and your dentist's office. Business Associates and PHI HHS.gov defines a business associate as, “A person or entity (other than a member of the covered entity's workforce) that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information.” A common example of a business associate would be a third-party billing service that handles payment transactions on behalf of your doctor's or dentist's office. What Information is Considered PHI? The two key elements to whether or not a piece of information can be considered PHI are: The H stands for Health, so the information in question must be healthcare-related. The information also must be identifiable. If the information in question cannot be used to identify the person it belongs to, then it isn't considered PHI. Common pieces of information that are identifiable are names, addresses, dates of birth, and social security numbers. Everything an identity thief needs. There are actually 18 HIPAA identifiers, which will be listed at the end of this section. Protected Health Information can include: Demographic info Medical records, lab reports, etc. Services and procedures Payment and billing info PHI can be found in three forms: Electronic form On paper Delivered orally/spoken HIPAA Identifiers Remember that for information to be considered PHI, it must be identifiable. Here are 18 identifiers as outlined in the Privacy Rule. Names (Full or last name and initial). All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. Dates (other than year) directly related to an individual. Phone numbers. Fax numbers. Email addresses. Social security numbers. Medical record numbers. Health insurance beneficiary numbers. Account numbers. Certificate and license numbers. Vehicle identifiers (including serial numbers and license plate numbers). Device identifiers and serial numbers. Web Uniform Resource Locators (URLs). Internet Protocol (IP) address numbers. Biometric identifiers, including finger, retinal, and voice prints. Full face photographic images and any comparable identifying images Any other unique identifying number, characteristic, or code, except the unique code assigned by the investigator to code the data. https://d3imrogdy81qei.cloudfront.net/video_images/6311/welcome-to-prohipaa.jpg Yes 98 https://www.prohipaa.com/training/leaders/video/hipaa-foundation-conclusion https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3546.mp4 HIPAA Foundation Conclusion In this lesson, we'll quickly recap what you've learned in your ProHIPAA course, and at the end of the lesson, you'll find a Word (or two) about HITECH – what it is, what the goals of the law are, and why it's important. We've gone over what the HIPAA and HITECH laws are, who manages the laws, and who is required to comply. You've learned about covered entities, business associates, and more about PHI than you probably thought possible, and for very good reasons as you now know. For those of you also taking the HIPAA for Leaders course, you'll learn more about HITECH and business associates in that course. Pro Tip: It's important to note that both covered entities and business associates share in the responsibility to protect personal health information at all times. If you are a covered entity doing all you can to be HIPAA compliant, but you're working with a business associate who isn't, this still poses a significant problem, as all it takes is one weak link in the chain. For this reason, it's important for all covered entities to ensure that each of their business associates is a trusted partner, has their best interest in mind at all times, and more importantly, is committed to protecting the health data of all of your customers and/or patients. We've covered what the value of PHI is on the black market ($700 when part of a larger identity package) and why cybercriminals want PHI. We've looked a little into areas where PHI can be compromised and even a few recent instances in which PHI was compromised. It's critical to always protect PHI, not only for the safety and security of your customers and patients but also for the legacy and operational integrity of your own business or organization. A data breach isn't just costly in terms of fines. It's also costly in terms of reputation and possible future revenue losses. Knowing that Your Organization is HIPAA Compliant – Priceless! If you don't feel confident in your business or organization's ability to become or remain HIPAA compliant, it pays to engage a trustworthy HIPAA compliance partner who can guide you through your HIPAA compliance journey. Even though you've now learned what it takes to become HIPAA compliant, you may still need helping getting there. And you certainly have a better understanding of the damage that could occur if your business or organization isn't compliant and suffers a data breach. If you ever feel like you need further assistance, as in a HIPAA compliance guide who can navigate you through those muddy waters, contact us ProHIPAA.com or call us at 844-722-8898. Thank you, and remember that we're always here to help you. A Word About HITECH The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was introduced during the Obama administration and signed into law on February 17, 2009. The Goals of the HITECH Act The HITECH Act was established to promote and expand the adoption of health information technology, specifically, the use of electronic health records by healthcare providers. The Act also removed some of the loopholes in the HIPAA Act by tightening up the language of HIPAA. This helped to ensure that all business associates were complying with HIPAA Rules, and when health information was compromised, notifications were sent to the affected individuals in a timely manner. Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules. The Importance of the HITECH Act Prior to the introduction of the HITECH Act, only 10 percent of hospitals had adopted electronic health records. In order to advance healthcare, improve efficiency and care of patients, and make it easier for health information to be shared between different covered entities, electronic health records needed to be adopted. The HITECH Act introduced incentives to encourage hospitals and other healthcare providers to make the change from paper records to electronic records. Had the Act not been passed, there is a good chance that many healthcare providers would still be using paper records today. The HITECH Act also helped to make certain that healthcare organizations and their business associates were complying with the HIPAA Privacy and Security Rules, were implementing safeguards to keep personal health information private and confidential, were restricting the uses and disclosures of health information, and were honoring obligations to provide patients with copies of their medical records upon request. The Act did not make compliance with HIPAA mandatory. That was already a requirement. However, it did make certain that entities found not to be in compliance could be issued substantial fines. Penalties help increase compliance, and sometimes the only language that businesses understand is one that affects the bottom line. https://d3imrogdy81qei.cloudfront.net/video_images/6335/hipaa-foundation-conclusion.jpg Yes 77 https://www.prohipaa.com/training/leaders/video/welcome-to-prohipaa-for-leaders https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3547.mp4 Welcome to ProHIPAA for Leaders Welcome to the ProHIPAA for Leaders course. If you've just taken the General HIPAA course, you likely have a solid foundation on HIPAA already. In this introductory lesson, we'll be going over what you can expect to learn in this course and what your course objective will be. And at the end of the lesson, we'll provide you with a Word about HIPAA Privacy Officers and HIPAA Security Officers. If your business or organization is in the healthcare industry and works as a covered entity or business associate, you're required to have annual HIPAA compliance training for you and your staff. You're also required to conduct periodic risk assessments and have a Book of Evidence on hand that outlines your practice or organization's policies and procedures. In the course, you'll learn about what it takes to be an effective privacy officer, compliance officer, and trusted business associate. What You Can Expect to Learn In your ProHIPAA for Leaders course, you'll learn the following: Why risk assessments are required About the HITECH Act of 2009 About the Omnibus Rule of 2013 About the importance of customized policies and procedures to create your Book of Evidence Why business associate agreements are required About the types of violations we often see in the healthcare industry today Why you – as a compliance officer or privacy officer – are key to ensuring your business or organization becomes compliant How to handle complaints and audits from the Office for Civil Rights or attorneys Your Course Objective The objective of ProHIPAA for Leaders is to train you on how to properly handle PHI, ePHI, and a data breach. Or better yet, how to reduce your chances of a data breach. A Word About HIPAA Privacy Officers and HIPAA Security Officers If you just completed the General HIPAA course at ProHIPAA, you may recall some additional information on the duties of a HIPAA Compliance Officer. You might also remember how those duties can be handled by one person or shared – in smaller organizations and businesses – with the person (or people) responsible for privacy and security duties. In this Word, we're going to look at duties for both HIPAA Privacy Officers and HIPAA Security Officers for larger businesses and organizations that have one or more people in each of those positions. HIPAA Privacy Officer A HIPAA Privacy Officer is responsible for developing a privacy program that is HIPAA compliant if one doesn't already exist. Or, if your business already has a privacy program in place, a privacy officer is in charge of ensuring that all privacy policies to protect the integrity of PHI are enforced. Among the duties of a HIPAA Privacy Officer are: Overseeing or developing ongoing employee privacy training Conducting risk assessments Developing HIPAA compliant procedures where necessary Monitoring compliance with the privacy program Investigating incidents in which a breach of PHI may have occurred Reporting breaches as necessary Ensuring patients' rights in accordance with state and federal laws In order to fulfill the duties of a HIPAA Privacy Officer, the appointed person will have to keep up to date with relevant state and federal laws. HIPAA Security Officer The duties of a HIPAA Security Officer are quite similar to those of a privacy officer, but with a security focus rather than privacy. The appointed person will be responsible for: Developing security policies Implementing procedures, training, and risk assessments Monitoring compliance of the security policies However, the focus of a HIPAA Security Officer is compliance with the Administrative, Physical, and Technical Safeguards of the Security Rule. In this respect, the duties of a HIPAA Security Officer can include such diverse topics as the development of a Disaster Recovery Plan – the mechanisms in place to prevent unauthorized access to PHI, and how ePHI is transmitted and stored. Due to how similar these duties are, the roles of a HIPAA Privacy Officer and HIPAA Security Officer are often performed by the same person in smaller organizations and businesses. And in even smaller businesses, one person could be in charge of handling the duties of a HIPAA Compliance Officer as well. https://d3imrogdy81qei.cloudfront.net/video_images/6337/welcome-to-prohipaa-leadership.jpg Yes 120 https://www.prohipaa.com/training/leaders/video/privacy-and-security-rules https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3540.mp4 Privacy and Security Rules In this lesson, we're going to cover the HIPAA Privacy Rule and the Security Rule. We'll dig into the three safeguards – administrative, physical, and technical – and include rules and examples for each. The HIPAA Privacy Rule establishes standards for protecting patients' medical records and other protected health information (PHI). It specifies two important things: What rights patients have over their information and requires covered entities to protect that information. What usage and disclosures are authorized or required. The privacy and security rules allow healthcare providers to share PHI electronically for treatment purposes as long as they apply reasonable safeguards when doing so. A couple of examples of this would be when a physician consults with another physician by secured email regarding a patient's condition, or when a healthcare provider exchanges PHI through electronic medical records for patient care. Covered entities need to engage in safeguards to protect this information. These safeguards include: Administrative safeguards Physical safeguards Technical safeguards Pro Tip #1: All covered entities need to perform risk analyses to determine what measures need to be taken to reduce risks and vulnerabilities to an appropriate level. Administrative Safeguards Administrative safeguards include office rules and procedures that help keep protected health data secure. To accomplish this, covered entities should designate security officials who are responsible for the following: Developing and implementing that covered entity's security policies and procedures Determining who should be authorized to access PHI Training all staff in these security policies and procedures Applying the appropriate sanctions against workforce members who violate those policies and procedures Performing periodic risk assessments of how well the security policies and procedures are meeting the requirements of HIPAA's Security Rule Example of Administrative Safeguard An example of an administrative safeguard would be allowing only office managers to send protected health information in electronic form. Physical Safeguards Physical safeguards under the HIPAA Security Rule include the following: Limiting physical access to all facilities while also ensuring that only authorized access is allowed Implementing that covered entity's policies and procedures specify the proper use of access to computers and/or the position of screens and monitors in all patient areas Putting into place policies and procedures regarding the physical transfer, removal, disposal, and reuse of all electronic media, such as computer hard drives Example of Physical Safeguard An example of a physical safeguard would be keeping all patient files in a locked room that only specified and authorized personnel have access to. Technical Safeguards Technical safeguards under the HIPAA Security Rule include the following: Implementing all hardware, software, and/or procedural mechanisms to record and examine access and other activities in all information systems that contain or use protected health information Implementing policies and procedures to ensure that electronic measures are put in place to confirm that all protected health information is not improperly altered or destroyed Implementing technical security measures that guard against unauthorized access to all PHI that is transmitted over an electronic network Example of Technical Safeguard A couple of examples of technical safeguards would be using data encryption and also strong passwords to better protect files from unauthorized access. Pro Tip #2: HIPAA's Privacy Rule gives much-needed flexibility to healthcare providers and plans to create their own privacy policies that are tailored to fit their size and needs. However, no matter the size of the covered entity, whether that entity is a small optometrist office or a large hospital with thousands of employees, each covered entity is required to have a written privacy policy. In general, all covered entities must do everything they can to secure all patient records that contain personally identifiable information so that information isn't readily available to those people who do not need it. You may recall the list of those 18 PHI identifiers that we provided in the last lesson. Also, covered entities must always release only as much protected health information as is necessary to address the specific needs of the entity that is requesting the information, or what the HIPAA regulation refers to as the minimum amount necessary to satisfy the inquiry. You might also recall from the last lesson, that when it comes to transmitting or sharing protected health information, less is always more. https://d3imrogdy81qei.cloudfront.net/video_images/6323/privacy-and-security-rules.jpg Yes 247 https://www.prohipaa.com/training/leaders/video/hipaa-leadership-conclusion https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3559.mp4 Conclusion In this lesson, we'll simply be recapping what you've learned in your ProHIPAA course and at the end, make you an offer that is perhaps too good to pass up. In this course, you've learned what the HIPAA and HITECH laws are, who manages the laws, and who is required to comply. You've learned about covered entities, business associates, and more about PHI than you probably thought possible, and for very good reasons as you now know. Pro Tip: It's important to note that both covered entities and business associates share in the responsibility to protect personal health information at all times. If you are a covered entity doing all you can to be HIPAA compliant, but you're working with a business associate who isn't, this still poses a significant problem, as all it takes is one weak link in the chain. For this reason, it's important for all covered entities to ensure that each of their business associates is a trusted partner, has their best interest in mind at all times, and more importantly, is committed to protecting the health data of all of your customers and/or patients. In this course, you've also learned what the value of PHI is on the black market ($700 when part of a larger identity package) and why cybercriminals want PHI. We've looked a little into areas where PHI can be compromised and even a few recent instances in which PHI was compromised. It's critical to always protect PHI, not only for the safety and security of your customers and patients, but also for the legacy and operational integrity of your own business or organization. A data breach isn't just costly in terms of fines. It's also costly in terms of reputation and possible future revenue losses. Through this leadership course, you've also learned about the responsibilities of a HIPAA Privacy Officer, a HIPAA Security Officer, and business associates. You've learned about the importance of business associate agreements (BAAs), why you are required to have regularly scheduled risk assessments, and why you need a customized Book of Evidence that includes all of your policies and procedures. Knowing that Your Organization is HIPAA Compliant – Priceless! If you don't feel confident in your business or organization's ability to become or remain HIPAA compliant, it pays to engage a trustworthy HIPAA compliance partner who can guide you through your HIPAA compliance journey. Even though you've now learned what it takes to become HIPAA compliant, you may still need help getting there. And you certainly have a better understanding of the damage that could occur if your business or organization isn't compliant and suffers a data breach. If you ever feel like you need further assistance, as in a HIPAA compliance guide who can navigate you through those muddy waters, contact us ProHIPAA.com or call us at 844-722-8898 to schedule your complimentary risk review. Thank you again for choosing ProHIPAA. We are honored to help you become (and stay) HIPAA compliant. We look forward to serving you again in the future, because your legacy matters. https://d3imrogdy81qei.cloudfront.net/video_images/6361/hipaa-leadership-conclusion.jpg Yes 120 https://www.prohipaa.com/training/leaders/video/what-is-protected-health-information https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3539.mp4 What is PHI? In this lesson, we'll be going into some detail on what PHI is. At the end of the lesson, we'll dig into when PHI really isn't PHI, or in other words, exceptions to PHI. In a nutshell, PHI (protected health information) is any information that is individual to a patient – past, present, or future – about the care provided, whether physical or mental, for an individual. This can include documentation of doctor visits, charts and notes made by physicians and other healthcare staff, healthcare payment information, claim status, and the coordination of healthcare benefits. Pro Tip #1: It's worth noting that HIPAA covers all forms of PHI, including electronic, paper, and even oral/spoken. Many people forget that PHI is also covered under spoken word. Be especially mindful when disclosing healthcare-related information with anyone – other patients, staff, and business associates. You may recall from the corresponding video for this lesson that one patient overheard two healthcare employees talking about another patient's health information. When in doubt, always assume that someone might be listening. And do everything you can to make sure private conversations take place in private locations. Think of PHI the way you would classified information. You have been given clearance to see it. But it's your responsibility to keep it safe and from falling into the wrong hands at all times. A More In-Depth Look at PHI Under HIPAA rules and regulations, PHI is considered as any identifiable health information that is used, maintained, stored, or transmitted by covered entities and business associates. As mentioned above, PHI is health information in any form, including physical records, electronic records, or spoken information. This means that PHI includes health records, health histories, lab test results, and medical bills. Pro Tip #2: The key point to remember regarding PHI, is that to be considered PHI, it must include individual identifiers, such as patient names, social security numbers, driver's license numbers, insurance details, and birth dates, when they are linked with health information. Demographic information can also be considered PHI under HIPAA Rules. There are in total 18 identifiers for PHI and these include the following: Names Dates, except year Telephone numbers Geographic data Fax numbers Social security numbers Email addresses Medical record numbers Account numbers Health plan beneficiary numbers Certificate/license numbers Vehicle identifiers and serial numbers including license plates Web URLs Device identifiers and serial numbers Internet protocol addresses Full face photos and comparable images Biometric identifiers, such as retinal scans and fingerprints Any unique identifying number or code Can PHI be Disclosed for Public Health Activities? The short answer is, yes. However, it's limited to the CDC (Center for Disease Control and Prevention), public health authorities – federal or state – and OSHA. OSHA is unique because it can request information without authorization or the need to sign a business association agreement. Pro Tip #3: One caveat to remember, though, is that covered entities should reasonably limit the amount of PHI given in these circumstances to what is considered a necessary amount and nothing more. Remember, less is more when it comes to sharing personal health information. So, why would OSHA request PHI? They could do so in the event of a natural disaster or a state of emergency in an attempt to determine the demographics of an affected area. Perhaps they need to mobilize the national guard, first responders, or military personnel to aid such an emergency. It's important to remember, that if contacted by someone in the government about sharing PHI, you must ensure their legitimacy. Request relevant phone numbers and email addresses and ask for a written request. A Word About the Exceptions to PHI You may be tempted to think that all health information is considered PHI under HIPAA, but this isn't true, and there are some exceptions. One determining factor is who records the information. A good example of this would be health trackers, such as physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA rules if the information was recorded by a healthcare provider or was used by a health plan. However, under the HIPAA rules, this information only applies to HIPAA covered entities and their business associates. This means that if a device manufacturer or app developer hasn't been contracted by a HIPAA covered entity and also isn't a business associate, the information recorded would not be considered PHI under HIPAA rules. The same rules apply to education or employment records. Let's say a hospital holds data on its employees, which can include some health information like allergies or blood types. However, HIPAA rules do not apply to this type of information. Also, it's important to remember that under HIPAA, PHI ceases to be PHI if it's stripped of all identifiers listed above that can tie the information to an individual. When those identifiers are removed, the health information is technically referred to as de-identified PHI, and thus, HIPAA rules no longer apply. https://d3imrogdy81qei.cloudfront.net/video_images/6321/what-is-protected-health-information.jpg Yes 260 https://www.prohipaa.com/training/leaders/video/what-is-an-audit-and-how-do-i-handle-it https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3558.mp4 What is an audit and how do I handle it? In this lesson, we'll be covering what an audit by the Office for Civil Rights could entail, ways to help prevent an audit or make one go more smoothly, and why having a Book of Evidence is so vital. At the end of the lesson, we'll stick with our recent looks at HIPAA violations with a Word about criminal penalties for HIPAA violations. An audit by the Office for Civil Rights requires you to provide the following: A copy of your last risk assessment A copy of your last risk report Your HIPAA compliance training logs Your Book of Evidence Pro Tip #1: When it comes to HIPAA in general, and particularly with audits, it's imperative for all business associates and covered entities to be as proactive (rather than reactive) as possible. What does being proactive look like? Great question! You can be proactive, first and foremost, by covering all your bases regarding the following: Conduct annual risk assessments. Conduct annual compliance training. Stay current with all of your policies and procedures. Rely on Your Book of Evidence As we've stated before, your Book of Evidence is a HIPAA requirement (and not a suggestion). A good Book of Evidence must include, but isn't limited to, the following: Your policies and procedures for how to handle PHI and ePHI Your business continuity plan Your data breach plan Pro Tip #2: Having your Book of Evidence ready at all times can help an audit process go much more smoothly and hopefully speed things up a bit as well, especially if your Book of Evidence is up-to-date and all of your training records are current. A Word About Criminal Penalties for HIPAA Violations Before we dig into a word about criminal penalties for HIPAA violations, let's first look at if HIPAA violations can even be criminal. Can HIPAA Violations be Criminal? When a HIPAA covered entity or business associate violates HIPAA Rules, civil penalties can be imposed. When healthcare professionals violate HIPAA, it's often their employer that receives the penalty, but not always. If healthcare professionals knowingly obtain or use PHI for reasons that are not permitted by the HIPAA Privacy Rule, they may be found to be criminally liable for the HIPAA violation under the criminal enforcement provision of the Administrative Simplification subtitle of HIPAA. Criminal HIPAA violations are prosecuted by the Department of Justice, which is increasingly taking action against individuals that have knowingly violated HIPAA Rules. There have been several cases that have resulted in substantial fines and prison sentences. Criminal HIPAA violations include theft of patient information for financial gain and wrongful disclosures with intent to cause harm. A lack of understanding of HIPAA requirements may not be a valid defense. When an individual knowingly violates HIPAA Rules, knowingly means that they have some knowledge of the facts that constitute the offense, not that they definitely know that they are violating HIPAA Rules. Criminal Penalties for HIPAA Violations As you probably know by now, criminal penalties for HIPAA violations are divided into separate tiers, with the term and an accompanying fine decided by a judge based on the facts of each individual case. As with the Office for Civil Rights, a number of general factors are considered which will affect the penalty issued. If an individual has profited from the theft, access, or disclosure of PHI, it may be necessary for all payments received to be refunded, in addition to the payment of a fine. The three tiers of criminal penalties for HIPAA violations are: Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail. Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail. Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail. In recent months, the number of employees discovered to be accessing or stealing PHI (for various reasons) has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals. It is therefore essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly. All staff likely to come into contact with PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment, but potentially also a lengthy jail term and a heavy fine. State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely. https://d3imrogdy81qei.cloudfront.net/video_images/6359/what-is-an-audit-and-how-do-i-handle-it.jpg Yes 60 https://www.prohipaa.com/training/leaders/video/proper-transportation-of-phi-and-ephi https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3548.mp4 Proper Transportation of PHI and ePHI In this lesson, we're going to show you how NOT to transport PHI (aka: explain a little more about common sense). And at the end of the lesson, we're going to take a look at healthcare data breach statistics, which clearly show why lessons like this are important. You probably recall from the corresponding video for this lesson, that nurse Joy decided to go into a grocery store and leave patient records, along with her computer, in plain sight …. and with her windows down and her doors presumably unlocked. It probably wasn't much of a shock to you when someone came along and took it all easily right through her open window. This is poor security! Nurse Joy didn't properly secure the PHI, ePHI, or even her computer. You could use this example when training your staff about properly securing PHI. And while this all may seem a bit too much like an abuse of common sense, there have no doubt been numerous real-life incidents just like this, only with better acting. Quiz: What should nurse Joy have done differently? a) Rolled up her windowsb) Locked her car doorsc) Placed the PHI and her computer out of sightd) All of the above If you chose D, you are correct! If you need to transport medical records or mobile devices that contain PHI, make sure to do all of the above to keep it secure. However, just taking PHI off-premises could also be a no-no, and therefore must be documented in your policies and procedures, along with secure means of transporting personal health information if it is allowed. A Word About Healthcare Data Breach Statistics Healthcare data breach statistics clearly show that there has been an upward trend in data breaches over the past nine years, with 2018 seeing more data breaches reported than any other year since records first started being published in 2009. Warning: The prevalence of this problem is a bit shocking. Between 2009 and 2018 there have been 2546 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the population of the United States. Healthcare data breaches are now being reported at a rate of more than one per day. There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. This was far and away the worst year in history for breached healthcare records with more than 113.27 million records exposed. The best year was 2012, with just 2,808,042 healthcare records exposed. The good news is that the situation has improved since 2015 with successive decreases in the number of exposed records. Although that trend did not continue in 2018. The number of exposed records more than doubled from 5,138,179 records in 2017 to 13,236,569 records in 2018. However, that is still far lower than those outrageous 2015 statistics. The Largest Healthcare Data Breaches To understand how enormous this problem is, let's look at the three largest healthcare breaches to date, all of which occurred in 2015. All three were caused by a hacking or IT incident. And all three covered entities involved were health plans. 1. Anthem Inc. 78,800,000 individuals affected 2. Premera Blue Cross 11,000,000 individuals affected 3. Excellus Health Plan Inc. 10,000,000 individuals affected That's three incidents affecting 100 million people, or roughly 30 percent of the U.S. population. And all three occurring in the same year. Hacking is the Leading Cause Data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents. The low hacking/IT incidents in earlier years could be partially due to the failure to detect hacking incidents and malware infections quickly. Many of the hacking incidents between 2014 and 2018 occurred many months, and in some cases years, before they were detected. Hacking isn't the Only Cause As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are not far behind. Healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption. Although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information. Yes, the video example for this lesson seems extraordinarily laughable, and yet, this actually happens. Just because you have more sense than that, it would be unwise to assume all the employees in your business or organization share that uncommon sense. Which is why lessons like this still must exist. https://d3imrogdy81qei.cloudfront.net/video_images/6339/proper-transportation-of-phi-and-ephi.jpg Yes 110 https://www.prohipaa.com/training/leaders/video/what-is-hitech https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3550.mp4 What is HITECH? In this lesson, we're going to cover the HITECH Act, including its goals, its importance, and a few details. At the end of the lesson, we're going to provide you with answers to some common business associate agreement questions. The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was introduced during the Obama administration and signed into law on February 17, 2009. The HITECH Act expanded the responsibilities of business associates under the security and privacy rules. Responsibilities and requirements for covered entities and their business associates include: Providing notification following a breach of unsecured protected health information Limitations on the sale of PHI, marketing, and fundraising communications Stronger individual rights to access electronic medical records Restriction of the disclosure of certain information Only using PHI for proper purposes Protect PHI at all times The Goals of the HITECH Act The HITECH Act was established to promote and expand the adoption of health information technology, specifically, the use of electronic health records by healthcare providers. The Act also removed some of the loopholes in the HIPAA Act by tightening up the language of HIPAA. This helped to ensure that all business associates were complying with HIPAA Rules, and when health information was compromised, notifications were sent to the affected individuals in a timely manner. Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules. The Importance of the HITECH Act Prior to the introduction of the HITECH Act, only 10 percent of hospitals had adopted electronic health records. In order to advance healthcare, improve efficiency and care of patients, and make it easier for health information to be shared between different covered entities, electronic health records needed to be adopted. The HITECH Act introduced incentives to encourage hospitals and other healthcare providers to make the change from paper records to electronic records. Had the Act not been passed, there is a good chance that many healthcare providers would still be using paper records today. The HITECH Act also helped to make certain that healthcare organizations and their business associates were complying with the HIPAA Privacy and Security Rules, were implementing safeguards to keep personal health information private and confidential, were restricting the uses and disclosures of health information, and were honoring obligations to provide patients with copies of their medical records upon request. The Act did not make compliance with HIPAA mandatory. That was already a requirement. However, it did make certain that entities found not to be in compliance could be issued substantial fines. Penalties help increase compliance, and sometimes the only language that businesses understand is one that affects the bottom line. Some Common Business Associate Agreement Questions Who does a business associate agreement apply to? Covered entities can be fined for not having a HIPAA business associate agreement in place or for having an incomplete agreement in place. And even if one wasn't in place, business associates are still obligated to comply with the HIPAA Security Rule. However, the issue for many covered entities is they are often unsure who a HIPAA business associate agreement actually applies to. The Department of Health and Human Services defines a business associate as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity, if that helps. However, exclusions to this definition exist and it may be the case that the scope of a covered entity's relationship with a vendor changes over time. As you can see, it's not exactly black and white, or even finite. Can you insist that every contractor sign a BAA? Some covered entities have taken a better-safe-than-sorry approach to address their definition issues and have executed agreements with all entities they have business relationships with. Even when not required. Recent research funded by the California Healthcare Foundation found that many covered entities were entering into agreements with other covered entities unnecessarily and were also entering into agreements with vendors who had no access to PHI and were never likely to. What does access to ePHI include? Many vendors are not given PHI to perform tasks on behalf of the covered entity, but ePHI passes through their systems. Many software solutions touch ePHI which means the software provider is classed as a business associate. There are exceptions for entities that merely act as conduits through which ePHI simply passes, although most cloud service and software providers are not excepted from compliance with HIPAA and BAAs are required. Can I use a business associate agreement template? There are many HIPAA business associate agreement templates available, but care should be taken before they are used. Before using such a template, it's important to check for whom that template has been designed to make sure it's relevant. It should also be personalized to include all of the requirements stipulated by the covered entity. https://d3imrogdy81qei.cloudfront.net/video_images/6343/what-is-hitech.jpg Yes 91 https://www.prohipaa.com/training/leaders/video/the-history-of-hipaa https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3535.mp4 The History of HIPAA In this lesson, we'll dig a little deeper into what HIPAA is, what it covers, the evolution of protecting healthcare patient data, and the benefits that this legislation produces. In the 1990s, as the internet was coming onto the scene and growing rapidly, congress recognized the need to establish a system that would help enforce the rights of patients and at the same time, protect the privacy of their medical records. This need and the realization of it led to the creation of the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. Eventually, additional layers of protection would follow with more legislation. As health records were becoming digitized, this led to the HITECH Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act of 2009. And finally … The Omnibus rule of 2013 expanded how technology companies protected healthcare data, while also enforcing the security and policies set forth by the Health and Human Services Office for Civil Rights. This important U.S. legislation provides data privacy and security provisions for safeguarding medical information. It includes the portability of insurance information between covered entities and providers to insurance companies. And it covers the protection and privacy of healthcare information transmitted electronically. Obvious benefits of such legislation include helping to improve the standardization and efficiency in healthcare data and helping to prevent discrimination and fraud. A Word About PHI Guidelines Remember, for information to be considered PHI – Protected Health Information – it must be healthcare-related and it must be identifiable, as in used to identify the person whose information it is. PHI can include demographic information, medical records, services rendered, and payment and billing information. And more importantly, as it pertains to this section, PHI can be: In electronic form In paper form Orally delivered And now let's turn from the theoretical to the practical with a question: What can covered entities and business associates do to better protect this information? It depends on how the information was delivered or in what form it currently resides. But whatever form that PHI takes, we have a set of guidelines that will help you protect it. (On a side note, if you were longing for some lists, you're going to be very excited.) In-Person Conversations Guidelines Discuss Patients PHI in private. Use an office with a door whenever possible or leave areas where others can overhear. Be aware of those around you and lower your voice when discussing a patient's health information. If possible, point out health information on paper or on-screen nonverbally when discussing a patient's health information. Telephone Conversations Guidelines Follow the above guidelines plus … Don't use names; instead say "I have a question about a patient." Never give PHI over the phone when talking to unknown callers. Never leave PHI on voice messages. Instead leave a message requesting a return call to discuss a patient, and leave only your name and phone number. Do not discuss PHI over unencrypted cellular or portable (wireless) phones or in an emergency, as the transmissions can be intercepted. Texting Guidelines Use a secure text messaging system. Develop, document, and implement your organization's mobile device policies and procedures to safeguard health information. Faxing Guidelines Put fax machines in a safe location. That means in places where people don't have access to them who shouldn't. Use a cover sheet clearly identifying the intended recipient and include your name and contact information on the cover sheet. Do not include or reference any PHI on the cover sheet. Confirm the fax number is correct before sending. Whenever possible, send all faxes containing patient health information only when the authorized recipients are there to receive them. Verify that the fax was received by the authorized recipient; check the transmission report to ensure the correct number was reached and, when necessary, contact the authorized recipient to confirm receipt. Deliver received faxes to the recipient as soon as possible. Do not leave faxes unattended at the fax machine. Emailing Guidelines Do not include PHI in the subject line or the body of an email. Transmit PHI only in a password-protected attachment. (MS Word and MS Excel both provide password protection.) Include a confidentiality attachment in any emails that contain attachments with PHI. Do not send attachment passwords in the same email as the attachment. Include your contact information (at minimum, your name and phone number) as part of the email. Set email sending options to request an automatic return receipt from your recipients. Request that email recipients call to discuss specific patient data. Do not store emails or email attachments with PHI on your hard drive. Instead, copy and store to a secure server. Delete all emails and their attachments when they are no longer needed. Courier and Regular Mail Guidelines Use sealed and secured envelopes to send PHI. Verify that the authorized person accepting the package has received it. Deliver all mail promptly to the recipient. Mailboxes must be in safe areas and not located in public or high-traffic areas. Inter-Office Mail Guidelines Put PHI in closed inter-office envelopes. As an added precaution, put PHI in a sealed envelope first. Identify the recipient by name and verify the mail center address. Distribute inter-office mail promptly to recipients. Do not leave it unattended in mailboxes. Where practical, use lockable containers (e.g. briefcases) to transport correspondence that contains PHI. https://d3imrogdy81qei.cloudfront.net/video_images/6313/the-history-of-hipaa.jpg Yes 83 https://www.prohipaa.com/training/leaders/video/hipaa-social-media-mobile-devices-email-and-faxes https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3544.mp4 HIPAA and Social Media, Mobile Devices, Email and Faxes In this lesson, we'll be covering HIPAA law as it applies to social media, mobile devices, email, and faxes. And at the end of the lesson, we'll provide you with a brief Word about guidelines for properly disposing of protected health information, or PHI. HIPAA Law & Social Media HIPAA law covers all PHI in electronic formats (also known as ePHI). This includes the following social media platforms: Facebook Twitter Snapchat Instagram Any and all others Pro Tip #1: While we as a society find it absolutely necessary to share everything on social media these days – including contrary opinions and meals we're about to consume – never under any circumstance should you disclose patient information, like names and treatments, on any social media platform. Remember, though we're sure you know better, common sense is not all that common, which is why these things need to be said. And why we have to also note that if you do any of the above, you could be personally liable financially and criminally for disclosing any protected health information on social media platforms. HIPAA Law & Mobile Devices Mobile devices include but are not limited to: Smartphones Tablets Laptops Pro Tip #2: While disclosing PHI on social media is always a no-no, mobile devices can be used to share protected health information IF appropriate safeguards are in place. What does IF mean? In short, we're referring to encryption. If you are sharing PHI on mobile devices, you have to use an encrypted texting or chatting platform. You cannot simply just pick up your phone and text PHI to a doctor, nurse, health plan, insurance company, etc. Why can't you do this? Because standard texting platforms: Have only limited encryption Are not HIPAA compliant Use a cloud that stores all text messages HIPAA Law & Email Platforms Standard email platforms are also not compliant according to HIPAA, and these include: Gmail Hotmail AOL (which may or may not be extinct) Yahoo! Any local IT provider's email platform All emails sent through the above free platforms are subject to automated processing. Your email and sensitive patient data will be scanned for targeted advertising when using those platforms. Pro Tip #3: It's important to note that while Google has chosen to not sign a business associate agreement (BAA) when using their Gmail platform, their paid service – G Suite – has signed BAAs. Other paid email platforms may also be acceptable, like Microsoft Office 365. The key is the provider's willingness to sign a business associate agreement. HIPAA Law & Faxes Faxes are an approved and HIPAA compliant means of sending PHI. However, you still need to be mindful when doing so. This means always using a cover sheet before sending a fax that contains protected health information. What if you send a fax containing PHI in error? If this happens, you need to contact the receiver and notify them to destroy the fax. Likewise, if you receive a fax containing PHI in error, you must notify the sender and also destroy the information. A Word About guidelines for Properly Disposing of PHI Disposing of PHI is of the utmost importance, particularly in our modern digital world where deleted tweets aren't really ever gone. The following PHI disposal guidelines should ensure that you and your organization remain HIPAA compliant. Shred all hard copies containing PHI when the copies are no longer needed Place hardcopies to be recycled in locked recycle bins if available Delete all soft copy files containing PHI from your computer and from the server when the information is no longer needed within the record retention requirements Destroy all disks, CDs, etc., that contained PHI before disposing of them Do not reuse disks or CDs that contained PHI without sanitizing them first Contact your IT department before transporting or transferring equipment for proper procedures to move equipment and to sanitize hard drives and other media Return the PHI to the sender, if this requirement is stipulated in any contractual agreements https://d3imrogdy81qei.cloudfront.net/video_images/6331/hipaa-social-media-mobile-devices-email-and-faxes.jpg Yes 112 https://www.prohipaa.com/training/leaders/video/who-is-required-to-comply-with-hipaa-laws https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3536.mp4 Who is required to comply with HIPAA laws? In this lesson, we'll go over who's required to comply with HIPAA laws and the group the law directly applies to – covered entities. You may notice a bit of overlap from the lesson – What is HIPAA. Not to worry; it's all part of the secret sauce. Repetition is how we learn. Covered entities include: Healthcare providers Health plans Healthcare Clearing Houses What is a Covered Entity? A covered entity is any provider of medical or other health-related services, or a person that has access to protected health information. Examples include healthcare providers and health plans, but also organizations and individuals that provide billing services or are paid in connection with these services in the normal course of doing business. What is a Health Plan? A health plan is any individual or group plan that provides or pays the cost of healthcare services, such as an HMO, an insurance company, and Medicaid and Medicare. What is a Business Associate? A business associate is any company or individual with direct or incidental access to PHI or ePHI. Business associates are required to have in place: A risk assessment plan Proper training Specific policies and procedures Examples of business associates include: IT vendors Call centers Court reporters Cloud providers Legal services providers Suppliers and manufacturers with access to PHI and ePHI Business associates have the same requirements as covered entities to protect PHI and are required to notify covered entities of any potential and/or active data breaches. Business associates must also comply with HIPAA requirements by signing a contractual agreement with the covered entity – known as a Business Associate Agreement (BAA). A Word About Protecting PHI at Workstations At the end of the last lesson, we took a look at some guidelines and best practices for protecting PHI during communications, whether they be written, spoken, or electronic. In this section, we're going to tackle workstation use and workstation security and provide you with some guidelines for keeping them safe and secure. Along with workstation use and workstation security, there are two other standards when it comes to HIPAA's Physical Safeguards for protecting PHI – facility access controls and device and media controls. (Which we'll likely address in detail at another time.) HIPAA's Security Rule defines Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Workstation Use The HIPAA Privacy Rule defines a workstation as any "electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment." Inappropriate use of workstations increases a covered entities risk, including those pertaining to virus attacks and other breaches. To comply with the workstation use standard, HIPAA requires all covered entities to: "Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation of class of workstation that can access electronic protected health information." It should be noted that this workstation use standard also includes remote work environments – any work from a remote location (home, travel, satellite office) – where employees have access to ePHI. Workstation Security Workstation security is another standard that has been put in place to better protect PHI. This standard requires covered entities to: "Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users." So, what are some safeguards or guidelines that will help protect PHI and ePHI at workstations? What a well-timed question. Computer Workstation Guidelines to Protect PHI To help protect PHI at workstations, consider implementing the following strategies: Use password protected screen savers, and turn off computers, or at least log out of the network when not at your desk. Position computer monitors so they are not visible to others. Secure workstations and laptops with passwords. Change passwords on a regular basis. Do not leave laptops, other work-related devices, or PHI visible or unsecured in a car, home office, or in any public areas. Ensure that all PHI – including that used outside of the work environment – is protected using appropriate measures such as being stored in locked desks and file cabinets. Never remove original copies of PHI without your supervisor's approval. Store files that contain PHI on a secure server; not on your workstation hard drive. https://d3imrogdy81qei.cloudfront.net/video_images/6315/who-is-required-to-comply-with-hipaa-laws.jpg Yes 84 https://www.prohipaa.com/training/leaders/video/what-do-i-do-if-i-get-a-hipaa-complaint https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3557.mp4 What do I do if I get a HIPAA Complaint? In this lesson, we'll be covering what you should do if you get a HIPAA complaint, including steps you should take if you both get a complaint and suffer a data breach. At the end of the lesson, we'll stick with our recent looks at HIPAA violations with a Word about HIPAA violation penalty structure. If You Receive a HIPAA Complaint If you receive a compliant from a patient or a business about your handling of protected health information, you should remedy the situation using the following steps: Make a note of the complaint in your incident log. Provide a complaint form to the patient or business making the complaint to complete. The form is used to help explain the complaint in detail. Your privacy officer should conduct a thorough formal investigation into the complaint to identify if any policies or procedures were not followed and if there was a potential data breach that could have impacted PHI. If you Suffer a Data Breach Let's say you take a complaint seriously and discover it was not only valid, but PHI was indeed breached. What do you do now? If your privacy officer does identify that PHI has been breached, take the following steps: Log the data breach into a data breach log. Perform a risk assessment to help identify security gaps and vulnerabilities. Notify all of the impacted individuals of the data breach. Be mindful of time – report the data breach before the standard federal 60-day notification or state notification if it is more restrictive. After a risk report has been created from the risk assessment, you must document your remediation plan and remediate the risks in a timely manner. A Word About HIPAA Violation Penalty Structure Each category of violation carries a separate HIPAA penalty. It is up to the Office for Civil Rights to determine a financial penalty within the appropriate range. They will consider a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected, and the nature of the data exposed. An organization´s willingness to assist with an Office for Civil Rights' investigation is also taken into account. The general factors that can affect the level of financial penalty also include prior history, the organization's financial condition, and the level of harm caused by the violation. You may recall in the last Word section of the last lesson, how there was a tier system when it comes to HIPAA's penalty structure. Well, there's also a tier system when it comes to assessing fines. Tier 1: Minimum fine of $100 per violation up to $50,000. Tier 2: Minimum fine of $1,000 per violation up to $50,000. Tier 3: Minimum fine of $10,000 per violation up to $50,000. Tier 4: Minimum fine of $50,000 per violation. The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account. A data breach or security incident that results from any violation could see separate fines issued for different aspects of the data breach under multiple security and privacy standards. For instance, a fine of $50,000 could, in theory, be issued for any violation of HIPAA rules, however minor they turn out to be. A fine can also be applied on a daily basis. For example, if a covered entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the Office for Civil Rights may decide to apply a penalty per day that the covered entity has been in violation of the law. Therefore, the penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records. https://d3imrogdy81qei.cloudfront.net/video_images/6357/what-do-i-do-if-i-get-a-hipaa-complaint.jpg Yes 75 https://www.prohipaa.com/training/leaders/video/why-cybercriminals-want-phi https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3543.mp4 Why Cybercriminals Want PHI In this lesson, we'll be covering why cybercriminals want PHI, the value of PHI on the black market, and some examples of what ransomware looks like. We'll also show you some ways you can protect PHI and ePHI and what your obligation is in the event of a data breach at your place of employment. And at the end of the lesson, we'll have a one question quiz that we're certain you'll pass. As of 2019, the healthcare industry has the 4th largest number of data breaches among the top five business sectors in the U.S. These sectors include, in order of the number of breaches from highest to lowest: Financial services Retail Government Healthcare Manufacturing Since healthcare ranks as high as it does for data breaches, it's important that you actively protect PHI and ePHI at all times. The Value of PHI on the Black Market When credit card numbers and bank account numbers are stolen, their lifespan is very short, as they're only useful until the victim cancels the card or closes the account. Pro Tip #1: The information contained in medical records is much more valuable than credit card numbers and bank account numbers and has a much broader utility. This information can be used to commit multiple types of fraud and/or identity theft and (here's the important part) does not change even after it has been compromised. You can't cancel your social security number, for instance. For this reason, the value of this type of personal data to cybercriminals is much higher than credit card numbers and bank account information alone. This information in a vacuum only has a selling price of $1 to $2 in the underground market. However, when a single credit card number is stolen and sold as part of a complete identity profile, that price in the underground market increases dramatically and jumps to around $720. As we've learned from recent Equifax breaches and the WannaCry ransom attacks, along with dozens or hundreds of lesser profile electronic attacks, PHI is extremely valuable to cybercriminals who can create and sell these identity packages on the dark web. How You Can Help Protect PHI The reasons outlined above is why it's so vital that you actively protect PHI and ePHI at all times. Over the last few years alone, and just using ransomware cases as an example, these types of cybersecurity threats have increased by more than 500 percent. Platforms used for ransomware attacks are platforms you likely use daily at work (professionally and personally while at work) and include: Business applications USB drives Social media Website attachments Email Warning: Be especially cautious when using USB drives, as they are usually used in multiple locations and can therefore become infected easily, as well as spread those infections equally easily. Having said that, email is still the most common offender and medium for distributing ransomware and other potentially harmful bugs and viruses. When it comes to email, there are two places to be especially aware of as far as viruses go: Around 38 percent of all viruses come embedded in the email itself, which means just opening the email is enough to possibly contribute to a data breach. Around 28 percent of all viruses come inside an attachment, which is why you never open an attachment from a recipient you don't know. However, … Pro Tip #2: There is no reason to get to the suspicious attachment stage. If you ever receive a suspicious-looking email, DO NOT OPEN IT! Simply delete it and notify those in your organization responsible for such things, like your compliance officer, IT company, and so forth. You may recall the example in the corresponding video for this lesson. The employee notices that an email looks weird and asks her manager what she should do. The manager shows her the proper way to handle such an email – mark it as junk and then empty the junk folder. The other important lesson from the video example is letting your privacy officer know when you receive a suspicious email, in case other employees receive the same email. It only takes one instance of an employee opening an email containing a virus that can lead to a data breach. Quiz: You just received a strange-looking email; what do you? I do not open it I delete the email I notify my manager, privacy officer, etc. All of the above If you answered D, congratulations! You just demonstrated uncommon sense. Seriously though, it's about good decision making and making those good decisions habitual. https://d3imrogdy81qei.cloudfront.net/video_images/6329/why-cybercriminals-want-phi.jpg Yes 193 https://www.prohipaa.com/training/leaders/video/what-are-patients-rights-with-phi https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3541.mp4 What are Patients' Rights with PHI? In this lesson, we're going to go over patients' rights, what information requires authorization, what information does not require information, and give you a few examples along the way. At the end of the lesson, we'll provide you with an additional Word about patient health information privacy rights. Most of us believe that our medical information and other health information is private and should be protected, and many want to know who has this information. The HIPAA Privacy Rule gives patients rights over their health information and sets rules and limits on who can look at and receive their protected health information. Covered Entities and Patients' Rights Pro Tip #1: All covered entities are required to provide individuals a private practice policy if requested at all times. Healthcare organizations' private practice policy should describe several things, including: How medical information about the patient will be used and disclosed How patients can get access to their medical information if it is requested The process for patients to use when filing complaints regarding their PHI What types of uses and disclosures of PHI are permitted What types of uses and disclosures require authorization These patient rights include asking for a copy of their healthcare provider's rights and privacy policies when they visit their primary physician or local hospital. All patients are entitled to see or get a copy of his or her own medical records that each healthcare practice or organization keeps. Pro Tip #2: All covered entities must provide an accounting of all protected health information disclosures that are made for treatment, payment, and healthcare operations during the prior six years upon request. This includes all financial records as they are tied to the healthcare services. One important caveat for patients: If you are receiving medical care while also paying for your own medical services, you are not required to disclose any protected health information with your health plan. Patient Authorization Pro Tip #3: Patient authorization is necessary for covered entities, like healthcare organizations, to obtain an individual's personal health information and billing information for purposes other than treatment, payment, or healthcare operations. However, it is not required in order for the patient to receive treatment. And as you'll see below, there are some exceptions that should be noted. A common question many physicians have is: Can I see a patient without getting written authorization? The answer is, yes, you can. However, it's a good idea to update their medical records and make a note of that when or if it happens. Sharing Patient Information Without Authorization: Referrals and Treatment: When referring a patient to another healthcare provider, you do not need written authorization from the patient to share their health information necessary for treatment purposes. Worker’s Compensation and OSHA: In the event of a worker’s compensation claim or a directive from OSHA, physicians can provide patient information without the need to receive authorization from the patient. Other circumstances that do not require patient authorization are situations when there's a need to alert law enforcement officials of an imminent danger, either to the patient himself/herself or if the patient is a danger to others. An example of this would be trying to protect a minor from abuse. If you're a physician who suspects abuse, you are authorized to report it. Another example: The HIPAA Privacy Rule allows covered healthcare providers to disclose protected health information about students to school nurses, physicians, or other healthcare providers for treatment purposes without requiring authorization of the student or the student's parents or guardians. For instance, a student's primary care physician can discuss a student's medication or other healthcare needs with a school nurse who will administer medications and provide care to the student while he or she is at school. A Word About Patient Health Information Privacy Rights For patients, knowing their rights is the first step to protecting them. How can Patients get Their Health Information? As noted at the beginning of this lesson, patients can ask to see or get a copy of their medical records and other health information. However, if they want a copy, they may have to put their request in writing and pay for the cost of copying and mailing. In most cases, their copies must be given to them within 30 days. How can Patients Change Their Health Information? Patients can ask to change any wrong information in their file or add information if they think something is missing or incomplete. For example, if a patient and his or her hospital agree that the file has the wrong results for a test, the hospital must change it. Even if the hospital believes the test result is correct, patients still have the right to have their disagreement noted in their file. In most cases, the file should be updated within 60 days. How can Patients Know Who Has Seen Their Health Information? By law, patients' health information can be used and shared for specific reasons not directly related to their care, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in the patients' area, or reporting as required by state or federal law. In many of these cases, patients can find out who has seen their health information. Patients have two options: Learn how their health information is used and shared by their doctor or health insurer. Let their providers or health insurance companies know if there is information they do not want to share. https://d3imrogdy81qei.cloudfront.net/video_images/6325/what-are-patients-rights-with-phi.jpg Yes 162 https://www.prohipaa.com/training/leaders/video/hipaa-breaches-violations-and-penalties https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3542.mp4 HIPAA Breaches, Violations and Penalties In this lesson, we'll be taking an introductory look at HIPAA data breaches, violations, and penalties. And at the end of the lesson, we'll look at some of the more recent healthcare data breaches and what caused them. In 2008, total HIPAA breach fines were a scant $100,000. And while this may sound like a pretty good amount of money, we've seen these data breach fines jump up every year in ways that may shock you, culminating with a record year in 2017, which no doubt will be broken once 2018's figures are calculated. Here's a look at how those data breach fines have been growing exponentially:   2008 $100,000   2010 $1.3 million   2012 $4.8 million   2014 $7.9 million   2016 $20.7 million   2017 $23 million   2018 $28.6 million         As you can see, not only has there been a steady increase in fines every year, but they've been increasing at a pace beyond rapid. Pro Tip: It's important for covered entities to have policies and procedures in place. One way to do this is by creating a Book of Evidence. Not only is this a HIPAA requirement, but it can help protect businesses in case of a data breach, violation, or audit. We'll be digging into the Book of Evidence in a subsequent lesson. You may recall from the corresponding video for this lesson, how an employee had sticky notes containing passwords in her workstation and in plain sight. This would be an obvious violation of HIPAA security policies and an obvious example that common sense is actually pretty uncommon. If like the person in the video, you also can't remember passwords, find a better way to keep them handy and secure, rather than just handy. Putting those sticky notes under your keyboard may seem like a good place, but that's kind of like putting your house keys under your welcome mat or your car keys on top of the visor – in other words, places thieving people will no doubt look. And since you are required by law to have passwords in order to access PHI, make sure those passwords are complex and your storage location secure. A Word About Recent Healthcare Data Breaches This Word section is simply to provide you with an idea of how common, varied, and potentially devastating these data breaches can be, by highlighting a few of the more recent healthcare data breaches, as of the end of the year 2019. New Mexico Hospital Discovers Malware on Imaging Server Discovered on November 14, 2019 Roosevelt General Hospital in Portales, New Mexico recently discovered malware on a digital imaging server used by its radiology department. The malware may have allowed cybercriminals to gain access to the radiological images of around 500 patients. The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server in order to prevent further unauthorized access and block communications with the attackers' command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected. The investigation into the breach did not uncover any evidence to suggest that PHI and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out. CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries Discovered on December 4, 2019 The Centers for Medicare and Medicaid Services (CMS) recently discovered a bug in its Blue Button 2.0 API that exposed the PHI of around 10,000 Medicare beneficiaries. Access to the Blue Button API was temporarily suspended while the CMS completed a comprehensive code review. On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated. The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined that 30 applications were impacted by the bug, in addition to the thousands of people whose PHI was exposed. Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches Discovered on November 6, 2019 The State of Colorado recently notified 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error. The error occurred on a Colorado Department of Human Services mailing of notices to reapply for food and cash assistance programs. The error was discovered on November 6, 2019. The investigation revealed 10,879 notice to reapply forms had been sent out that contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms. The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed. Some Important Points While these data breach incidents aren't likely to make national headlines the way other healthcare data breaches involving millions of people have over the last year, they are still important for a couple of reasons: Frequency – These all happened in the last several weeks of 2019, which begs the question: how often is too often? How they occurred – All three of these breaches were caused in different ways – malware, a computer bug, and a mailing error. While it would be easy to chalk up data breaches to hackers and cybercriminals, the truth is that human/employee error accounts for a large number of them as well. https://d3imrogdy81qei.cloudfront.net/video_images/6327/hipaa-breaches-violations-and-penalties.jpg Yes 94 https://www.prohipaa.com/training/leaders/video/how-to-be-proactive-to-be-hipaa-compliant https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3545.mp4 How to be Proactive to be HIPAA Compliant In this lesson, we're going to look at ways you can reduce the risks to your business as it pertains to data breaches. To this end, we'll show the 3 Pillars of Success that should help eliminate your risks and keep you HIPAA compliant. And at the end of the lesson, we'll provide you with a Word about the duties of a HIPAA compliance officer. There are several common issues we've seen over the years that greatly contribute to you or your organization not being HIPAA compliant, which increases your risk of suffering through a data breach. Those issues include: Your organization's and staff's understanding of HIPAA and HITECH laws Limited or no training on how to properly handle PHI, including ePHI and oral conversations A lack of risk assessments to help identify your risks to PHI A limited, or no, Book of Evidence that includes your organization's policies and procedures Not using the proper business associate agreements (BAAs) The use of Gmail, Yahoo, MSN, AOL, and other unsecure platforms for the transmission of PHI So, how can you and your organization be more proactive at reducing your risks and becoming more HIPAA compliant? You can institute what we describe as the 3 Pillars of Success The 3 Pillars of Success The 3 Pillars of Success are: Risk Assessments A Book of Evidence Compliance Training Let's look at each of these in more detail. Risk Assessments Your business or organization must perform a regularly scheduled compliance risk assessment. We recommend doing this on at least an annual basis to ensure that all staff understand any changes within your organization and/or business environment that could contribute to it being less secure. A Book of Evidence A Book of Evidence is a basic HIPAA requirement and contains all of your organization's policies and procedures on handling PHI and ePHI, including, among other things, your business continuity plan, data breach plan, and how to handle unauthorized access of protected health information. Compliance Training Compliance training is an essential part of any security plan and ensures that you and your staff understand how to better protect PHI and follow all of your organization's policies and procedures. The human firewall is the best kind of firewall, but it cannot properly function without training and education. The more you and your employees understand the risks involved and how to handle PHI, the better your organization's chances of reducing the risks of data breaches and the subsequent risks to your business. A Word About the Duties of a HIPAA Compliance Officer HIPAA requires that one or more people within a covered entity or business associate is assigned the duties of a HIPAA Compliance Officer. How much work is involved depends on the size of the covered entity or business associate along with the amount of PHI involved. And in smaller organizations, it is often the case that the duties of a HIPAA Compliance Officer are divided between a Privacy Officer and a Security Officer. (Our crystal ball says that we'll be digging into these roles in later lessons.) The typical duties of a HIPAA Compliance Officer include: Gaining a thorough knowledge of the HIPAA Privacy and Security Rules and the solutions available that will allow him or her to develop a HIPAA compliance program. After developing a HIPAA compliance program, the compliance officer should document progress towards its implementation, which would include creating a system that enables the officer to monitor the status of the organization's HIPAA compliance. That system should allow the officer to prioritize efforts towards compliance and communicate priorities to others in the organization. It should also act as a conduit through which compliance concerns can be raised and organizational changes coordinated. The HIPAA Compliance Officer is responsible for developing training programs and executing training courses. These should be designed to help employees understand HIPAA compliance and how any changes implemented will affect their specific duties. The HIPAA Compliance Officer is also responsible for monitoring the Department of Health & Human Services' and their state's regulatory requirements. When new regulations or guidelines are introduced, the officer must adjust their organization's HIPAA compliance program to reflect those changes. It's important to understand that HIPAA regulations do not define exactly what the duties of a HIPAA Compliance Officer are. Instead, HIPAA leaves it to each covered entity or business associate to establish their own duties according to their specific requirements. Thus, in order for an organization to effectively establish the duties of a HIPAA Compliance Officer, it is necessary for that organization to first understand what those specific requirements are. And part of that would entail undertaking a risk assessment. https://d3imrogdy81qei.cloudfront.net/video_images/6333/how-to-be-proactive-to-be-hipaa-compliant.jpg Yes 107 https://www.prohipaa.com/training/leaders/video/what-is-a-risk-assessment https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3551.mp4 What is a Risk Assessment? In this lesson, we'll be going over what a risk assessment is, the purpose of risk assessments, and the benefits of having one regularly. At the end of the lesson, we'll provide you with a Word about what a HIPAA risk assessment should consist of. A risk assessment is a process that helps your business or organization identify any potential risks and analyze what could happen if a breach or mishandling of PHI or ePHI occurs. Risk assessments are required by the Office for Civil Rights. To become compliant, you must attest to 100 questions that the OCR provides. By conducting a thorough risk assessment, you should have a better idea of the amount of a risk your business or organization has, along with your exposure of all protected health information. Pro Tip #1: The important thing to remember is that all covered entities and business associates are required by law to conduct a risk assessment. The goals of doing a risk assessment are understanding your vulnerabilities if any exist and the potential of a data breach. A risk assessment can help identify areas where you can better secure all types of patient health data, from ePHI to paper charts. Pro Tip #2: All covered entities and business associates must also produce a risk report from the risk assessment. The risk report should detail the level of the risk and a remediation plan to resolve any and all risks to PHI and ePHI. ProHIPAA recommends that all covered entities and business associates conduct an annual risk assessment to comply with all regulations and determine your level of risk from year to year. This yearly approach to risk assessments will help ensure that any changes in your business or organization haven't affected the security of the protected health information of your patients or customers. A Word About What a HIPAA Risk Assessment Should Consist Of The U.S. Department of Health and Human Services (HHS) acknowledges that there is no specific risk analysis methodology. This may be due to covered entities and business associates varying significantly in size, complexity, and capabilities. However, HHS does provide an objective of a HIPAA risk assessment – to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all PHI that an organization creates, receives, maintains, or transmits. In order to achieve these objectives, the HHS suggests an organization should: Identify where PHI is stored, received, maintained, or transmitted Identify and document all potential threats and vulnerabilities Assess current security measures that are currently in place to safeguard PHI Assess whether the current security measures are being used properly Determine the likelihood of a reasonably anticipated threat Determine the potential impact of a data breach involving PHI Assign risk levels for vulnerability and impact combinations Document the risk assessment and take action where necessary A HIPAA risk assessment is not a one time or singular exercise. Assessments should be reviewed periodically, and as new work practices are implemented, or new technology is introduced. HHS does not provide guidance on the frequency of reviews other than to suggest they may be conducted annually depending on an organization´s circumstances. Do You Need a HIPAA Privacy Risk Assessment? Due to the requirement for business associates to conduct risk assessments being introduced in an amendment to the HIPAA Security Rule, many covered entities and Business Associates overlook the necessity to conduct a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is equally as important as a security risk assessment but can be a much larger undertaking depending on the size of the organization and the nature of its business. In order to complete a HIPAA privacy risk assessment, an organization should appoint a privacy officer who can identify organizational workflows and get a big picture view of how the HIPAA Privacy Rule will impact the organization's operations. Thereafter the privacy officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur. The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy risk assessment and should be reviewed as suggested by the HHS as new work practices are implemented or new technology is introduced. https://d3imrogdy81qei.cloudfront.net/video_images/6345/what-is-a-risk-assessment.jpg Yes 82 https://www.prohipaa.com/training/leaders/video/what-is-a-business-associate https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3549.mp4 What is a Business Associate? In this lesson, we're going to dig into business associates – who they are, what their requirements are, and also include some examples of common business associates. At the end of the lesson, we'll take a more in-depth look into the business associate agreement. A business associate is any company or individual with access to PHI or ePHI in support of a covered entity's business. Business associates are required to have the same policies and procedures when it comes to accessing and protecting PHI as covered entities. Just like covered entities, business associates are required to protect personal health information at all times. They're also required to notify their covered entity of any potential or active data breaches. And in a bigger picture sort of way, business associates must help protect their covered entities at all times. Pro Tip: Business associates are required to immediately notify their covered entity when a breach of unsecured PHI is discovered. Waiting will only compound the problem and is a breach of HIPAA law. Business associates can include the following: IT service companies Cloud service providers Laboratories Lawyers Consultants Benefits managers Claims processing firms Data transmission service providers Technology companies Suppliers and manufacturers with access to PHI You may recall the corresponding video for this lesson involving an uncomfortable exchange with Tom the IT guy. Office manager Mary left a medical file laying on the counter and Tom unknowingly wandered over to have a look. This one incident is actually responsible for two violations – 1) not securing PHI and 2) looking at PHI when you do not have permissible access. Unfortunately for Tom, he doesn't know he's not supposed to look … until he already has looked. Moral of the story: Don't leave medical files laying around for others to look at. Business Associate Agreements Business associates must comply with all HIPAA requirements by providing written contractual agreements to their covered entities. Included in these agreements is: The business associate will only use the covered entities protected health information for proper purposes The business associate will safeguard the covered entity's PHI from misuse The business associate will comply with all of HIPAA's security requirements and will ensure that all administrative, physical, and technical safeguards are followed to keep the covered entity's PHI safe If a business associate violates any part of the HIPAA rules and regulations or is in violation of the business associate agreement with the covered entity, the business associate will be held accountable for both types of penalties. In instances where a business associate uses a subcontractor, also known as a downstream supplier, that subcontractor is required by HIPAA to have a contractual agreement with their business associate. Subcontractors are essentially held to the same HIPAA requirements when it comes to accessing and using protected health information. And like business associates, they are also accountable for any and all penalties when there is a breach of that contract. A Word About the HIPAA Business Associate Agreement A HIPAA business associate agreement is a contract between a HIPAA covered entity and a vendor used by that covered entity. As you already know, a HIPAA-covered entity is typically a healthcare provider, health plan, or healthcare clearinghouse that conducts transactions electronically. A vendor of a HIPAA covered entity that needs to be provided with protected health information in order to perform duties on behalf of the covered entity is called a business associate (BA) under HIPAA. A vendor is also classed as a business associate if, as part of the services provided, ePHI passes through their systems. A signed HIPAA business associate agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI. Since the passing of the HITECH Act and its incorporation into HIPAA in 2013 via the HIPAA Omnibus Final Rule, subcontractors used by business associates are also required to comply with HIPAA. As you now know, all business associates must likewise obtain a signed HIPAA business associate agreement from its subcontractors before access is given to PHI or ePHI. And if subcontractors use vendors that require access to PHI or ePHI, they too need to enter into business associate agreements with their subcontractors. The business associate agreement should stipulate that the business associate (or subcontractor) must implement appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI and meet the requirements of the HIPAA Security Rule. Some of those measures may be stated in the business associate agreement or it may be left to the discretion of the business associate. The business associate agreement should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule. In the event that PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The timescale and responsibilities for notifications should be detailed in the agreement. A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both the Department of Health and Human Services' Office for Civil Rights and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules. At the end of the next lesson, we'll cover a few more details about business associate agreements that you may want to be aware of. https://d3imrogdy81qei.cloudfront.net/video_images/6341/what-is-a-business-associate.jpg Yes 226 https://www.prohipaa.com/training/leaders/video/what-is-a-business-associate-agreement https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3553.mp4 What is a Business Associate Agreement? In this lesson, we're going to look briefly at what a business associate agreement (BAA) is and what some of the common elements of a BAA are. At the end of the lesson, we'll take a look at some common HIPAA violations. A business associate agreement is a required contract between a covered entity and a business associate who has direct or incidental access to PHI or ePHI. A business associate agreement will contain details on how each entity will be responsible in handling PHI and can include: Required compliance training A risk assessment Financial liabilities Responsibilities if and when a data breach occurs Pro Tip: A business associate agreement is required and holds business associates accountable to handle PHI and ePHI securely and safely. Business associates are required to have: A risk assessment HIPAA compliance training Policies and procedures, also known as a Book of Evidence A Word About 10 Common HIPAA Violations The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. But before we get into the top 10 list, let's answer a couple of important questions first. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. The Office for Civil Rights (OCR) understands that healthcare organizations are being targeted by cybercriminals and that it is not possible to implement impregnable security defenses. Being HIPAA compliant is not about making sure that data breaches never happen. HIPAA compliance is about reducing risk to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation. The OCR breach portal now reflects this more clearly. Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. Consequently, the investigations are closed without any action being taken. How are HIPAA Violations Discovered? HIPAA violations can continue for many months, or even years, before they are discovered. The longer they are allowed to persist, the greater the penalty will be when they are eventually discovered. It is therefore important for HIPAA covered entities to conduct regular HIPAA compliance reviews to make sure HIPAA violations are discovered and corrected before they are identified by regulators. There are three main ways that HIPAA violations are discovered: Investigations into a data breach by OCR (or state attorneys general). Investigations into complaints about covered entities and business associates. HIPAA compliance audits. Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a financial penalty. 10 Most Common HIPAA violations Listed below are 10 of the most common HIPAA violations, together with examples of HIPAA-covered entities and business associates that have been discovered to be in violation of HIPAA Rules and have had to settle those violations with OCR and state attorneys general. In many cases, investigations have uncovered multiple HIPAA violations. In no particular order, the 10 most common HIPAA violations are: Snooping on healthcare records Failure to perform an organization-wide risk analysis Failure to manage security risks / lack of a risk management process Failure to enter into a HIPAA-compliant business associate agreement Insufficient ePHI access controls Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices Exceeding the 60-day deadline for issuing breach notifications Impermissible disclosures of protected health information Improper disposal of PHI Denying patients access to health records/exceeding timescale for providing access https://d3imrogdy81qei.cloudfront.net/video_images/6349/what-is-a-business-associate-agreement.jpg Yes 54 https://www.prohipaa.com/training/leaders/video/what-penalties-apply-to-violations-of-privacy-rule-requirements https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3555.mp4 What Penalties Apply to Violations of Privacy Rule Requirements? In this lesson, we're going to cover all things related to HIPAA violation penalties and what the true costs are to your business or practice if this should happen to you. At the end of the lesson, we'll provide you with a Word about what constitutes a HIPAA violation. The United States Department of Health and Human Service's Office for Civil Rights is responsible for administrating and enforcing the HIPAA standards and may conduct investigations and compliance reviews whenever they see fit. Should you be found to be in violation of any privacy rule requirements, your business or practice could be responsible for paying civil penalties. These penalties are for each violation and can be stacked if there are multiple violations with respect to a single individual. Penalties also depend on the type of violation. Civil penalties, for instance: Can range from $100 to $50,000 per violation Can go up to a maximum of $1.5 million per year Criminal penalties on the other hand: Can range up to $250,000 in fines Can result in 10 years imprisonment for those knowingly or improperly disclosing information or obtaining information under false pretenses Can result in even higher penalties for violations designed for financial gain or deemed as malicious harm Pro Tip: That's just the federal side of the penalty puzzle. State laws can also inflict their own set of fines to your business or practice. The True Cost of a Data Breach Let's go over the details of the cost of a data breach to your business or practice. Here are a few costs you may be subjected to: Health and Human Services fines up to $1.5 million per violation or per year. Federal Trade Commission fees up to $16,000 per violation. Class action lawsuits from between $1000 and $500,000 since no one usually sues for less than $500,000. State Attorney General can inflict fines of between $150,000 and $6.8 million. Business or patient loss up to 50 percent. The costs associated with offering ID monitoring and free credit reports to all people impacted, or somewhere around $10 to $30 per person. Lawyer fees of at least $2000+. Breach notifications costs of at least $1000. Business associate changes and technology repairs of around $5000+. A Word About What Constitutes a HIPAA Violation There is much talk of HIPAA violations in this course, but what actually constitutes a HIPAA violation? A HIPAA violation has occurred when a HIPAA covered entity – or a business associate – fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules. A violation may be deliberate or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed, and the minimum necessary information standard is violated. When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although, as mentioned above, the penalties will often be at a lower rate than willful violations of HIPAA Rules. An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications, which is a clear violation of the HIPAA Breach Notification Rule. Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures. Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although the Office for Civil Rights typically resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered entity or business associate's plan to address the violations and change policies and procedures to prevent future violations from occurring. It should be noted that financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules. https://d3imrogdy81qei.cloudfront.net/video_images/6353/what-penalties-apply-to-violations-of-privacy-rule-requirements.jpg Yes 131 https://www.prohipaa.com/training/leaders/video/do-i-need-a-privacy-officer-or-security-officer https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3556.mp4 Do I need a Privacy Officer or Security Officer? In this lesson, we'll be going into some detail regarding the duties of both HIPAA Privacy Officers and HIPAA Security Officers and where and how those duties sometimes intersect. At the end of the lesson, we'll provide you with a Word about HIPAA violation classifications. One important thing to remember is that you are required by law to have someone appointed as a privacy officer and a security officer at your business or practice. However, it's equally important to point out that these roles can be combined in certain situations and given to just one individual. Pro Tip #1: While you can appoint one person as privacy officer and security officer, it's not something that we would recommend. Separating these duties adds a second pair of eyes or ensures a certain amount of checks and balances. What are the Duties of a HIPAA Privacy Officer? In order to fulfill the duties of a HIPAA Privacy Officer, you would be responsible for the following: Developing a HIPAA compliant privacy program if one does not already exist Ensuring that all privacy policies are in place and capable of protecting the integrity of all PHI and ePHI Enforcing all the privacy policies that are in place Delivering or overseeing ongoing employee privacy training Conducting regularly scheduled risk assessments Developing HIPAA compliant procedures where necessary Monitoring compliance with the privacy program Investigating any and all incidents in which a breach of PHI or ePHI may have occurred Reporting breaches as they occur Ensuring all patient rights in accordance with all state and federal laws Keeping up to date with all relevant state and federal laws At this point in your lesson, you may be asking yourself, what is the contrast between a security officer and a privacy officer. (Or you may just be contemplating lunch.) The duties of a HIPAA Security Officer are in fact similar to those of a HIPAA Privacy Officer, in as much as the appointed person will be responsible for the development of all security policies, the implementation of all procedures, training, risk assessments, and monitoring compliance. Pro Tip #2: Having said all that, the focus of a security officer is to ensure compliance with the administrative, physical, and technical safeguards of the HIPAA Security Rule. What are the Duties of a HIPAA Security Officer? The duties of a HIPAA Security Officer can include, but aren't limited to, the following: Developing a disaster recovery plan Putting into place the mechanisms to prevent unauthorized access to PHI and ePHI Deciding how all electronic PHI (ePHI) is transmitted and stored As previously mentioned, while it isn't ideal or recommended, due to the similarity in duties, the roles of a HIPAA Privacy Officer and a HIPAA Security Officer can be performed by the same person. The one caveat: It works best in smaller businesses, practices, or organizations. Customized for Your Business You can complete all the required actions to be HIPAA and HITECH compliant yourself, since all HIPAA and HITECH laws are applicable and must be customized to your exact needs. If you feel that the technical policies and procedures are too overwhelming, however, we would recommend you use a HIPAA compliance guide (like ourselves at ProHIPAA) who can guide you through your HIPAA journey. A Word About HIPAA Violation Classifications Are you curious about what happens if you violate HIPAA? Well, that depends on the severity of the violation. The Office for Civil Rights prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate. There are four categories that are used for the penalty structure. They are as follows: Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules. Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care, but still falling short of willful neglect of HIPAA Rules. Tier 3: A violation suffered as a direct result of willful neglect of HIPAA Rules, in cases where an attempt has been made to correct the violation. Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for covered entities to be issued with a fine. The Office for Civil Rights understands this and has the discretion to waive a financial penalty. The penalty cannot be waived, however, if the violation involved willful neglect of Privacy, Security and Breach Notification Rules. https://d3imrogdy81qei.cloudfront.net/video_images/6355/do-i-need-a-compliance-partner-or-privacy-officer.jpg Yes 155 https://www.prohipaa.com/training/leaders/video/important-hipaa-terminology https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3537.mp4 Important HIPAA Terminology This lesson is all about learning some important definitions to better help you understand HIPAA terminology. There will, of course, be a little repetition. HIPAA Health Insurance Portability and Accountability Act of 1996. HITECH Health Information Technology for Economic and Clinical Health Act of 2009. Pro Tip #1: The goal of HITECH is to promote the adoption and meaningful use of health information technology and significantly expand the HIPAA privacy rule and security standards as new requirements concerning privacy and security of PHI are enacted. PHI Protected Health Information (patients’ personal and medical information). ePHI Electronic Protected Health Information. This includes all personal health information that is stored, and/or transmitted, electronically. Common examples of ePHI include: Faxes Emails Data backup Cloud providers Patient portals Removable media Secure texting Whether the health information is being stored or transmitted, it must be encrypted first. Business Associate Any person or organization that supports the healthcare industry in some fashion and performs functions and activities in support of a covered entity. Business Associate Requirements Per HITECH regulations, business associates are now legally required to be compliant with the HITECH Act. This includes assuming financial liability for any and all data breaches caused by their organization or employees. All business associates are required to have: A risk assessment Proper training A Book of Evidence Risk Assessment A set of government mandated questions to help organizations identify gaps in risk, to their organization and to the covered entities they serve. This includes a risk report with a road map to resolving any potential problems. There are three sections on a risk assessment along with three types of questions. Sections on Risk Assessment Administrative Technical Physical Types of Risk Assessment Questions Standard Required Addressable Standard questions measure a covered entity to ensure confidentiality, integrity, and availability of ePHI, while in the custody and care of covered entities and/or business associates. Pro Tip #2: Covered entities and business associates must comply with the applicable standards provided in the Security Rule with respect to all ePHI. Required questions are those that must be implemented by covered entities and/or business associates. Addressable questions, while not optional, do provide covered entities some additional flexibility with respect to compliance with the security standard. All organizations must determine their level of risk to PHI. If a risk is deemed reasonable, appropriate security measures will need to be applied. Book of Evidence The Book of Evidence is a customized book of policies and procedures that all organizations are required to create. The Book of Evidence illustrates how that organization handles all PHI and ePHI. This includes: Data breach notifications Disaster recovery policies Privacy and patient policies Privacy Policy A privacy policy explains how covered entities and business associates handle PHI. All covered entities are required by law to provide patients with a copy of their privacy policy upon request. Business associates must also be able to provide their privacy policies to both internal employees and external companies – also known as downstream suppliers – and for government audits. A Word About the Disposal of PHI The disposal of all protected health information (PHI) comes with its own set of requirements set forth by the HIPAA Privacy and Security Rules. These are steps that covered entities take when they dispose of PHI. Shred all hard copies containing PHI when the copies are no longer needed. Place hardcopies to be recycled in locked recycle bins if available. Delete all soft copy files containing PHI from all computers and from the server when the information is no longer needed within the record retention requirements. Destroy all disks, CDs, and other pieces of hardware that contained PHI before disposing of them. Do not reuse disks and/or CDs that contained PHI without thoroughly sanitizing them first. Contact the IT department for the proper procedures before transporting or transferring equipment and sanitizing hard drives and other media. Return the PHI (medical records) to the patient, if this requirement is stipulated in any contractual agreements. Many states impose requirements on covered entities to retain this information and make it available for a limited time, as is appropriate. Health and Human Services encourages all covered entities to consider the steps that other prudent healthcare organizations and health information professionals are taking to protect patient privacy in connection with record disposal. https://d3imrogdy81qei.cloudfront.net/video_images/6317/important-hipaa-terminology.jpg Yes 222 https://www.prohipaa.com/training/leaders/video/policies-procedures-and-the-book-of-evidence https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3552.mp4 Policies, Procedures and the Book of Evidence In this lesson, we'll be covering HIPAA policies and procedures (aka: The Book of Evidence), including what the Book of Evidence should consist of and one very important key point to remember when putting together your own Book of Evidence. At the end of the lesson, we'll provide you with a Word about how to become HIPAA compliant. Every business or practice that has access to PHI and ePHI is required to have a set of policies and procedures in place on how to handle all protected health information. This set of policies and procedures is what we refer to as the Book of Evidence. Pro Tip #1: One important thing to remember about your Book of Evidence is that it must be customized to your own unique snowflake that is your business or practice. Yes, downloadable online templates are available. And yes, using them is a very bad idea. Your own Book of Evidence must be relevant to your own exact business. What Should a Book of Evidence Include? Without spoiling the ending, any thorough Book of Evidence should include: The responsibilities of the covered entity or business associate The use and disclosure of the PHI they have access to The individual rights of patients (if pertinent) How to handle a breach of protected health information Pro Tip #2: Your Book of Evidence must be present – in the office of the business or practice – and must be provided to the Office for Civil Rights should they ever request to see it. Your Book of Evidence also must reflect the dates of the latest changes to the law. We also recommend storing a copy online or through a local network for disaster recovery and business continuity purposes. There is a common misconception that a Book of Evidence is one size fits all. Again, it's not! It must be customized to fit your own unique business or practice. Also, don't forget to store a printed copy on site and a copy at an offsite location or cloud-based location. A Word About How to Become HIPAA Compliant Before getting into how to become compliant, it may be best to answer the question, what is HIPAA compliance? HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Typically, the next question is, what are the HIPAA compliance requirements? That question is not so easy to answer as some of the requirements of HIPAA are intentionally vague. This is so HIPAA can be applied equally to every different type of covered entity or business associate that comes into contact with PHI. While it is possible to use a HIPAA compliance checklist to make sure all aspects of HIPAA are covered, it can be a difficult process for organizations unfamiliar with the intricacies of HIPAA Rules to develop a HIPAA compliance checklist and implement all appropriate privacy and security controls. However, you will certainly need to use a HIPAA compliance checklist to make sure your organization, product, or service incorporates all of the technical, administrative, and physical safeguards of the HIPAA Security Rule. You must also adhere to the requirements of the HIPAA Privacy and Breach Notification Rules. If you get anything wrong and fail to safeguard ePHI, as a HIPAA business associate, you can be fined directly for HIPAA violations by the HHS' Office for Civil Rights, state attorneys general, and other regulators. Criminal charges may also be applicable for some violations. HIPAA compliance can, therefore, be daunting. To ensure you cover all elements on your HIPAA compliance checklist and leave no stone unturned, it is worthwhile seeking expert guidance from HIPAA compliance experts. Many firms offer HIPAA compliance software to guide you through your HIPAA compliance checklist, ensure ongoing compliance with HIPAA Rules, and provide you with HIPAA certification. https://d3imrogdy81qei.cloudfront.net/video_images/6347/policies-procedures-and-the-book-of-evidence.jpg Yes 94 https://www.prohipaa.com/training/leaders/video/what-is-a-covered-entity https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3538.mp4 What is a Covered Entity? In this lesson, we'll go over some basics of covered entities – what covered entities are, some examples of covered entities, and what requirements covered entities all share. And at the end of the lesson, we'll provide you with a Word about the differences between covered entities and business associates. What is a Covered Entity? A covered entity is any provider of medical or other health services or people that have or handle PHI (protected health information). Covered entities include the following: Healthcare providers Health plans Organizations and/or individuals that provide billing services or are paid in connection with services in the normal course of conducting business Pro Tip: The key phrase to remember as it relates to covered entities, is that they handle PHI. This is the common element that all covered entities share. You may recall from a previous lesson that PHI is health information that can identify an individual to whom the information belongs to. HIPAA's Privacy Rule was established to help protect PHI while in the care of either covered entities or business associates. This includes whether a covered entity or business associate is sending, receiving, or storing this information. The two key elements to whether or not a piece of information can be considered PHI are: The H stands for Health, so the information in question must be healthcare-related. The information also must be identifiable. If the information in question cannot be used to identify the person it belongs to, then it isn't considered PHI. Common pieces of information that are identifiable are names, addresses, dates of birth, and social security numbers. Everything an identity thief needs. What are Some Examples of Covered Entities? The list of covered entities is quite substantial and includes the following: Physicians Optometrists Dentists Nurses Mental health providers Radiologists Laboratories Pharmacies Call centers Durable medical equipment providers Hospitals Ambulance companies Healthcare workers Case managers Social workers As you can see, the list of covered entities extends well beyond healthcare professionals themselves and even beyond healthcare institutions like hospitals and clinics. What is Required of a Covered Entity? A covered entity is required to comply with all of HIPAA's regulations. These would include the following: They are required to have risk assessments They are required to have compliance training for staff They are required to have a Book of Evidence that contains all the proper policies and procedures on how to handle PHI A Word About the Differences Between Covered Entities & Business Associates First, let's define what a business associate is. What is a Business Associate? A business associate is any business or person that provides a service for a covered entity, or a certain function or activity, when that service, function or activity involves the access to PHI that is maintained by the covered entity. Examples of business associates include, but aren't limited to: Lawyers Accountants IT contractors Billing companies Cloud storage services Email encryption services The key phrase from above that really defines a business associate is this: the access to PHI that is maintained by the covered entity. What (Again) is a Covered Entity? Remember, HIPAA covered entities are healthcare providers, health plans, and organizations – like healthcare clearinghouses – that electronically transmit health information for transactions covered by HHS' standards. Without going too far down the rabbit hole, health plans are defined as health insurance companies, company health plans, government programs that pay for healthcare, and HMO's. Healthcare clearinghouses are defined as transcription service companies that format data to make it compliant and organizations that process non-standard health information. Here is the key element to remember – even if an entity is a healthcare provider, health plan, or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. Remember, a business associate is an entity – either an individual or a company – that is provided with access to protected health information for the purpose of providing services for a HIPAA covered entity. Business associates are required to sign a contract with the covered entity, which is called a business associate agreement (BAA), that outlines the responsibilities of the business associate and explains what is required of them to comply with HIPAA Rules. (This is something we will tackle in more detail in a subsequent lesson.) So, what is the Difference? Covered entities have PHI (protected health information) while business associates merely have access to PHI. It's a bit of an ambiguous distinction, but an important distinction, nonetheless. https://d3imrogdy81qei.cloudfront.net/video_images/6319/what-is-a-covered-entity.jpg Yes 62 https://www.prohipaa.com/training/leaders/video/how-to-handle-a-data-breach-and-violations https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3554.mp4 How to Handle a Data Breach and Violations In this lesson, we're going to tackle your worst nightmare – there's been a data breach or HIPAA violation and you need to take action. We'll provide you with the necessary steps to handle such an event, and at the end of the lesson, we'll provide you with a few more details about the HIPAA Breach Notification Rule. Let's assume your business or organization has had a breach. These are the steps you need to take now that the breach has occurred. Notify your privacy or compliance officer and let him or her know about the breach. Initiate a data breach risk assessment. Notify all impacted individuals within the required time frame. Provide a formal report to the HHS within 60 days unless your state requires it sooner. Notify your local media if the breach impacted more than 500 individuals. Pro Tip #1: HIPAA regulations require you to notify impacted individuals within 60 days. However, multiple states like Texas, Wisconsin, North Carolina, Alabama, and others have more stringent laws that require notification to take place more quickly. Other states appear to be following suit. So, the moral of the story: Time is of the essence. Once your privacy officer has been alerted of the breach, he or she must initiate a data breach risk assessment to determine what PHI was breached and how many individuals have been affected. A formal report must be compiled and reported to the HHS within 60 days. You also must notify all impacted individuals within the same amount of time. However, if your state law is more stringent, you must abide by the state law. Media Notice Rule The media notice rule requires covered entities to report breaches that involved more than 500 individuals to local news outlets. If dealing with this size of breach, your privacy officer would need to contact local television and newspaper outlets and provide a notification of the breach. Here is just some of the information that a breach notification should include: A brief description of the breach The types of information involved in the breach The steps affected individuals should take to protect themselves from potential harm A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches Pro Tip #2: If a covered entity has insufficient or out of date contact information for 10 or more individuals, the covered entity must substitute an individual notice by either posting a notice on their website for at least 90 days or by providing the breach notification to all major media outlets in the areas affected. A Word About the HIPAA Breach Notification Rule The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than 500 patients. There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually. Breach notifications should include the following information: The nature of the ePHI involved, including the types of personal identifiers exposed The unauthorized person who used the ePHI or to whom the disclosure was made (if known) Whether the ePHI was actually acquired or viewed (if known) The extent to which the risk of damage has been mitigated Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents. https://d3imrogdy81qei.cloudfront.net/video_images/6351/how-to-handle-a-data-breach-and-violations.jpg Yes 141 https://www.prohipaa.com/training/leaders/video/what-is-hipaa https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3933.mp4 What is HIPAA? In this lesson, you'll learn what HIPAA is, the role it plays in healthcare, and who is mandated to follow its requirements, along with relevant real-world examples. What is HIPAA? HIPAA is an acronym that stands for – Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark act to provide the following: The portability of insurance The protection and privacy of healthcare information The standardization and efficiency in healthcare data The prevention of discrimination and fraud What is HIPAA's Role in Healthcare? HIPAA gives the U.S. Department of Health and Human Services the responsibility of adopting rules to help individuals and companies keep important health information private. HIPAA protects against unauthorized disclosure of any protected health information that pertains to healthcare patients. HIPAA establishes a national set of security standards for protecting certain health information that is held or transferred electronically. In addition to privacy and security, administrative provisions were also included in HIPAA to improve the efficiency and effectiveness of the healthcare system. These provisions include: Specific transaction standards and code sets A national standard of unique identifiers for employers, health plans, and healthcare providers Data security and electronic signatures Pro Tip #1: HIPAA compliance is highly dependent on the size, function, administration, and type of entity or business association. Therefore, this training module is not intended to be a comprehensive HIPAA compliance guide. Warning: Entities and business associates that are regulated by HIPAA's privacy and security rules are obligated to comply with all federal and state requirements and should not rely on this training alone as a source of legal information or advice. In addition, to ensure compliance with HIPAA, covered entities and business associates should regularly perform a risk assessment to track access to PHI and periodically evaluate the effectiveness and security measures that have been put into place. Who is Mandated to Follow HIPAA's Requirements? HIPAA law applies directly to two particular groups known as covered entities and business associates, and these can include: Healthcare providers Health plans Healthcare clearinghouses Tech companies Cloud service providers Anyone with access to PHI What is a Healthcare Provider? A healthcare provider is any provider of medical or other health services or any organization or person who transmits health information in electronic form. This includes organizations and individuals who provide billing services or are paid in connection to services in the course of doing business. Common examples include: Physicians Dentists Optometrists Nurses Mental health providers Radiology centers Chiropractors Psychologists Pharmacies Durable Medical Equipment (DME) providers Hospitals Ambulance companies Home healthcare workers Social workers What is a Health Plan? A health plan is any individual or group plan that provides or pays the cost of healthcare services, such as an HMO, an insurance company, and Medicaid and Medicare. What is a Healthcare Clearinghouse? A healthcare clearinghouse is a public or private entity that processes healthcare transactions from one form to another in a required format. An example would be a third-party billing service that ensures that all information between a doctor's office and an insurance company complies with all HIPAA requirements. Pro Tip #2: HIPAA applies to employers only to the extent that they operate in one of these three groups. Furthermore, the same standards apply to covered entities in both the public and private sectors. If a company offered healthcare services and treatment to employees onsite – like an onsite clinic – the employer would be a covered entity and would be required to follow all HIPAA requirements. What is a Business Associate? A business associate is any company or individual with direct or incidental access to PHI or ePHI. Business associates are required to have in place: A risk assessment plan Proper training Specific policies and procedures Examples of business associates include: IT vendors Call centers Court reporters Cloud providers Legal services providers Suppliers and manufacturers with access to PHI and ePHI Business associates have the same requirements as covered entities to protect PHI and are required to notify covered entities of any potential and/or active data breaches. Business associates must also comply with HIPAA requirements by signing a contractual agreement with the covered entity – known as a Business Associate Agreement (BAA). The BAA states that a business associate will only use protected health information for proper purposes and will safeguard it from misuse. Business associates must also comply with all HIPAA security requirements and will ensure administrative, physical, and technological safeguards are in place. If a business associate violates the BAA, they will be in violation of the contract with the covered entity and in violation with HIPAA. In which case, the business associate will be held accountable for all penalties from both violations. Pro Tip #3: If a business associate uses subcontractors, HIPAA requires contractual agreements between them. Subcontractors are held to the same HIPAA requirements when it comes to protected health information. https://d3imrogdy81qei.cloudfront.net/video_images/7075/what-is-hipaa-new.jpg Yes 316 https://www.prohipaa.com/training/texas-hb300/video/breach-notifications-under-hb300 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3948.mp4 Breach Notifications under HB300 Covered entities must also notify an individual if a breach of that individual’s sensitive personal information, including that individual’s protected health information, has occurred, meaning if that information was acquired or reasonably believed to have been acquired by an unauthorized person. Although HB300 does not specifically define “sensitive personal information”, it incorporates the definition set forth in the Texas Business and Commerce Code and thus includes: an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: Social Security number; Driver’s license number or government issued identification number; or Account number or credit or debit card number in combination with any required security code,access code, or password that would permit access to an individual’s financial account; or information that identifies an individual and relates to: the physical or mental health or condition of the individual; the provision of health care to the individual; or payment for the provision of health care to the individual. This means that documents that you handle on a daily basis, such as initial client information sheets, tax returns, bank statements, etc. may fall under the umbrella of sensitive information that must be safeguarded pursuant to HB300. https://d3imrogdy81qei.cloudfront.net/video_images/7103/breach-notifications-under-hb300.jpg Yes 97 https://www.prohipaa.com/training/texas-hb300/video/introduction-to-texas-hb300-training https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3942.mp4 Introduction to Texas HB300 Training Hi, this is Dawn from ProHIPAA, I will be your compliance guide. Today, we will be learning about the Texas Law HB300. You are taking this course because you either live in the great state of Texas like me or you do business in the great state of Texas. https://d3imrogdy81qei.cloudfront.net/video_images/7091/introduction-to-texas-hb300-training.jpg Yes 28 https://www.prohipaa.com/training/texas-hb300/video/conclusion-to-hb300-training-course https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3950.mp4 Conclusion to HB300 Training Course In conclusion, Texas HB300 dramatically expanded the HIPAA and HITECH Regulations already in place. The most significant change is the definition of a Covered Entity and required training. If you handle or come in contact with PHI or ePHI you are considered a Covered Entity and must take appropriate measures to protect PHI at all times. If you still have questions or need a guide to help you navigate this law please call us at 844-722-8898. https://d3imrogdy81qei.cloudfront.net/video_images/7107/conclusion-to-hb300-training-course.jpg Yes 48 https://www.prohipaa.com/training/texas-hb300/video/what-training-is-required-under-hb300 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3945.mp4 What Training is Required under HB300? Under HB300, mandatory customized employee training regarding state and federal patient privacy and security laws is required. Training must cover federal and state regulatory requirements as well as include the covered entity’s course of business and employees’ scope of employment as it relates to PHI use and disclosure. Employees of covered entities must complete training at least once every two years and not later than 60 days after their hire date. A covered entity shall require an employee of the entity who attends a training program described above to sign, electronically or in writing, a statement verifying the employee's attendance at the training program. The covered entity shall maintain the signed or electronic training record. https://d3imrogdy81qei.cloudfront.net/video_images/7097/what-training-is-required-under-hb300.jpg Yes 53 https://www.prohipaa.com/training/texas-hb300/video/duties-of-covered-entities-to-provide-notice https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3947.mp4 Duties of Covered Entities to Provide Notice Now let’s discuss the covered entities duty to provide Notice: The law also broadens the scope of covered entities’ Notice of Privacy Practices or other general notices to inform patients about how their e-PHI is used and disclosed. Note that for some entities, this will mean the need to issue a notice if the PHI is subject to electronic disclosure, e.g., for entities such as business associates that would not be required to issue a Notice of Privacy Practices under the HIPAA Privacy Rule. A covered entity shall provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure. A covered entity may provide general notice by:  posting a written notice in the covered entity's place of business; posting a notice on the covered entity's Internet website; or posting a notice in any other place where individuals whose protected health information is subject to electronic disclosure are likely to see the notice. https://d3imrogdy81qei.cloudfront.net/video_images/7101/duties-of-covered-entities-to-provide-notice.jpg Yes 68 https://www.prohipaa.com/training/texas-hb300/video/medical-records-and-enforcement-authority https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3946.mp4 Medical Records and Enforcement Authority Medical Records: Under the new law, Texas covered entities must provide patients with their EHRs in electronic format within 15 business days after receipt of a written request. The Texas Health and Human Services Commission will soon recommend a standard format for the release of EHRs that is consistent with federal law. Now let’s talk about Enforcement Authority: Following the Office of Civil Rights’ recent lead, the website of the Office of the Attorney General of Texas will contain consumer access to public health information to educate members of the public, including the steps to take to file a complaint with applicable state agencies and their contact information. These state agencies will file annual complaint reports to the Attorney General of Texas. Then, the Attorney General will provide an annual report to the Texas Legislature that includes an overview and statistical analysis of the complaints received. https://d3imrogdy81qei.cloudfront.net/video_images/7099/medical-records-and-enforcement-authority.jpg Yes 63 https://www.prohipaa.com/training/texas-hb300/video/hb300-penalties https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3949.mp4 HB300 Penalties In addition, HB300 authorizes civil penalties ranging from $5,000 to $1.5 million for data breaches, depending on the severity, the covered entity’s compliance program, if entity was certified, and its efforts to correct the violation. Besides these increased civil monetary penalties, a data breach may also be classified as a felony. Audits: The Attorney General is also authorized by HB300 to work in tandem with The OCR and the Texas Department of Insurance in conducting audits of a covered entity. This includes monitoring the results of that audit. While certainly the focus seems to be on covered entities within the health care industry, anyone or any business with access to PHI should already be taking appropriate measures to ensure they are compliant with Texas HB300. https://d3imrogdy81qei.cloudfront.net/video_images/7105/hb300-penalties.jpg Yes 60 https://www.prohipaa.com/training/texas-hb300/video/what-is-texas-house-bill-300 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3943.mp4 What is Texas House Bill 300? Texas House Bill300 also known as Texas HB300 was effective on September 1, 2012. This bill significantly expands patient privacy protections for Texas covered entities beyond those federal requirements known as "HIPAA" and "HITECH." Texas HB 300 expanded legal requirements by:  revising the definition of a "covered entity"; increasing mandates on covered entities, including requiring customized employee training; establishing standards for the use of electronic health records ("EHRs"); granting enforcement authority to several state agencies; and increasing civil and criminal penalties for the wrongful electronic disclosure of PHI. https://d3imrogdy81qei.cloudfront.net/video_images/7093/what-is-texas-house-bill-300.jpg Yes 51 https://www.prohipaa.com/training/texas-hb300/video/what-is-a-covered-entity-under-hb300 https://d3imrogdy81qei.cloudfront.net/videos/course_videos/en/3944.mp4 What is a Covered Entity under HB300? HB300 significantly expands the definition of a Texas "covered entity." A "covered entity" is now defined as any person/entity who:  For commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected healthinformation;  comes into possession of protected health information; obtains or stores protected health information under this chapter; or is an employee, agent, or contractor of a person insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information. This revised definition is broad and includes not only health care providers but those entities and individuals who under the “HIPAA Privacy Rule,” a federal regulation that protects the privacy of individually identifiable health information, would be classified as business associates and health care payers. In addition, the Texas Act’s “covered entity” definition includes governmental units, information or computer management entities, schools, health researchers, health care facility, clinics, and persons who maintain an Internet site. As a result, this revision impacts any entity that conducts business in Texas and collects, uses, and/or stores PHI. While HITECH only covers law firms representing covered entities, HB300 has expounded upon those regulations to cover any law firm handling medical records, health insurance records, or healthcare billing records. https://d3imrogdy81qei.cloudfront.net/video_images/7095/what-is-a-covered-entity-under-hb300.jpg Yes 129