Speaker 1: HIPAA stands for the Health Insurance Portability and Accountability Act. Its original purpose was to protect people from losing their health insurance if they change jobs or have pre-existing health conditions. HIPAA has been expanded over the years to also help reduce the cost and administrative burdens of healthcare transactions, and most recently to develop standards and requirements to protect the privacy and security of personal health information. It's HIPAA's privacy and security rules that we'll cover here. Because privacy and security rules require healthcare organizations to adopt processes and procedures to ensure the highest degree of patient confidentiality, it makes sense. Patients desire their information to be secure and rely on you to keep it safe and confidential. Personal health information, or PHI, can be created, stored, or transmitted in many formats through verbal conversations, written documents, over computer software or hardware, and in various other forms. All require security and confidentiality measures to be implemented. PHI may include anything in the patient health records, such as lab results, medical history, images, and more. It also includes other patient information, like names, birthdates, social security numbers, email addresses, and other information that can be used to create identity theft. It seems like every day we hear about another data breach. Keeping patient information safe is what HIPAA governs, and what you're responsible to protect. A covered entity under HIPAA may not use or disclose protected health information unless a patient authorizes its disclosure in writing. However, we may disclose protected health information without an individual's authorization for any of the following purposes or situations. 1. To any individual that has been authorized by the patient. 2. For treatment, payment, or general health care operations. 4. 3. If the individual has the opportunity to agree or object to a disclosure. For example, when the patient brings another patient into the exam room. In addition, all practices are required to provide patients with a Notice of Privacy Practices, NPP. It is a best practice to make a good-faith effort to obtain a patient's written acknowledgement of receiving the notice. The NPP must inform patients of the uses and disclosures of PHI that the practice may make, and define the patient's right to access and amend their medical information. Except in certain circumstances, individuals have the right to review and obtain a copy of their protected health information. You may impose reasonable fees for the cost of copying and fulfilling the patient's request. When you disclose PHI, you must use the minimum necessary information to accomplish the purpose of the disclosure or request. Practices must identify each employee who needs access to PHI to carry out their job. And PHI should be limited to a need-to-know basis. For non-employees, you must limit the amount PHI of what is needed to accomplish the work. You should also rely on ethics and your best judgment in deciding whether to disclose protected health information. The HIPAA Security Rule requires covered entities to implement administrative, physical, and technical safeguards to ensure that medical information is stored, transmitted, and received in a safe and secure manner. Administrative safeguards require practices to create and maintain updated policies and procedures for employees to learn and follow to help maintain the security of PHI. Some examples of administrative safeguards include acceptable use policies to help train employees on their access rights and responsibilities with handling PHI. Sanction policies are needed to discipline employees who violate HIPAA law. Information access policies grant appropriate access to computer workstations, health records and transactions, and other programs or processes. Security awareness training must be implemented so employees are trained and reminded of policies and procedures relating to software updates, computer login monitoring, password updates, and other key security measures. And contingency planning, so adequate preparation, policies, and procedures are in place in order to respond to an emergency. For example, if there is a fire, vandalism, or other natural disaster, an incident and emergency response plan must be created, tested, and revised, and all critical activities must have a designated owner. Technical safeguards require practices to implement procedures and the right software and equipment to protect PHI. Practices must implement technical policies and procedures to allow access to only those people who need access to do their jobs. Practices should incorporate encryption and decryption in backing up, restoring, and transmitting electronic patient information. And policies and procedures must be set up to destroy PHI when it is no longer necessary to fulfill a job or function. Technical safeguards must be implemented to protect the location and devices within your practice. Facility access controls must be created and all access must be monitored. It's important that you understand and monitor who is accessing the practice, and security measures are put in place prior and after a potential incident. To help administer these safeguards, HIPAA requires that every practice designate a HIPAA security and HIPAA privacy officer. The designee can be the same person, if appropriate. The HIPAA security and privacy officers play key roles in leading the implementation and training of HIPAA requirements for your practice. HIPAA is enforced by the Office of Civil Rights, a division of the Health and Human Services. Penalties can be up to $50,000 per penalty per violation, and increase up to $1.5 million per identical penalty, or willful neglect in any calendar year. Illegal and criminal penalties may apply depending on the offense. In addition, with the enactment of HIPAA's Omnibus Rule in September 2013, covered entities were expanded to include your business associates, which include auditors, consultants, IT companies, and others with whom you have agreements involving the use of protected health information. That means when a doctor takes notes in a medical chart or an assistant, data enters health information into a report or online program discussing a patient's condition. Any entity that also is in contact with this information is now governed under HIPAA. HIPAA requires that updated business associates agreements are executed between the practice and all business associates. It's important you do everything necessary to protect your patient's private information and to comply with the HIPAA security and privacy rules. With practices, reputation is at risk if you violate HIPAA law or if patient information is compromised. Penalties can be devastating, and it's your duty to contribute to a commitment of developing a culture of compliance and data security for your practice. If you see any suspicious activity, please report it to your supervisor as soon as possible. Thank you for participating in today's HIPAA training. Please follow up with your supervisor if you have any additional questions.