Welcome to the

Privacy and Security

Training Session!

Draft v.12
4/8/15
 Disclaimer
This HIPAA Privacy & Security Training Session Copyright by the HIPAA Collaborative
of Wisconsin (HIPAA COW) may be freely redistributed in its entirety provided that this
copyright notice is not removed. When information from this document is used, HIPAA
COW shall be referenced as a resource. It may not be sold for profit or used in commercial
documents without the written permission of the copyright holder. This HIPAA Privacy &
Security Training Session is provided as is without any express or implied warranty. It is
for educational purposes only and does not constitute legal advice. If you require legal
advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not
addressed all state pre-emption issues related to this HIPAA Privacy & Security Training
Session. Therefore, this document may need to be modified in order to comply with
Wisconsin/State law.
This document is not a complete summary covering every aspect of the Privacy and Security
Rules. You may need to modify content to suit your organizations policies and procedures.
Slides are provided for informational purposes only.
It is recommended to select only those slides or groups of slides that are relevant to your
training purposes.
This Training Session is not meant to be presented as is, but as a starting point or idea
generator only.

Copyright HIPAA COW 2

Privacy and Security Training Sections
1. What is HIPAA? 8. Release of Information
2. Why is HIPAA Important? (ROI)
3. HIPAA Definitions 9. HIPAA Security Rule
4. HIPAA Enforcement 10. PHI Safeguarding Tips
5. Patient Rights 11. Business Associate
6. HIPAA Privacy Agreements
Requirements 12. HIPAA Violations and
7. The Breach Notification Complaints
Rule 13. Discussion Slides

Copyright HIPAA COW 3

Privacy and Security Training Presenters
Privacy Officer:
[Insert Name and contact information]

Security Officer:
[Insert Name and contact information]

Compliance Committee Members:

[Insert Names and contact information]

Copyright HIPAA COW 4

 Section I
Introduction
What is HIPAA?

Copyright HIPAA COW 5

 What is HIPAA?
Acronym for Health Insurance Portability & Accountability
Act of 1996 (45 C.F.R. parts 160 & 164).
Provides a framework for establishment of nationwide
protection of patient confidentiality, security of electronic
systems, and standards and requirements for electronic
transmission of health information.

Copyright HIPAA COW 6

 What is HIPAA?
Health Information Privacy and Portability Act of 1996

1 Privacy Rule

2 Security Rule
Electronic Data
3
Exchange

Each part of HIPAA is governed by different laws

Copyright HIPAA COW 7

 Privacy Rule

Privacy Rule went into effect April 14, 2003.

Privacy refers to protection of an individuals health care data.
Defines how patient information used and disclosed.
Gives patients privacy rights and more control over their own health
information.
Outlines ways to safeguard Protected Health Information (PHI).

Note: Some Wisconsin Privacy Laws (e.g. WI Chapters 51, 146, 252 and DHS 92, are
more stringent than HIPAA Privacy Rule

Copyright HIPAA COW 8

 Security Rule
Security (IT) regulations went into effect April 21, 2005.
Security means controlling:
Confidentiality of electronic protected health information (ePHI).
Storage of electronic protected health information (ePHI)
Access into electronic information

Copyright HIPAA COW 9

 Electronic Data Exchange (EDI)
Defines transfer format of electronic information between providers and
payers to carry out financial or administrative activities related to health
care.
Information includes coding, billing and insurance verification.
Goal of using the same formats is to ultimately make billing process more
efficient.

Copyright HIPAA COW 10

 Why Comply With HIPAA?
To show our commitment to protecting privacy
As an employee, you are obligated to comply with [Insert Your
Organization Name] privacy and security policies and procedures
Our patients/members are placing their trust in us to preserve the
privacy of their most sensitive and personal information
Compliance is not an option, it is required.
If you choose not to follow the rules:
You could be put at risk, including personal penalties and
sanctions
You could put [insert organization name] at risk, including
financial and reputational harm

Copyright HIPAA COW 11

 HIPAA Regulations
HIPAA Regulations require we protect our patients PHI in all media including, but not
limited to, PHI created, stored, or transmitted in/on the following media:

Verbal Discussions (i.e. in person or on the phone)

Written on paper (i.e. chart, progress notes, encounter forms, prescriptions,
x-ray orders, referral forms and explanation of benefit (EOBs) forms
Computer Applications and Systems (i.e. electronic health record (EHR),
Practice Management, Lab and X-Ray
Computer Hardware/Equipment (i.e. PCs, laptops, PDAs, pagers, fax
machines, servers and cell phones

Copyright HIPAA COW 12

 Section II
Why is HIPAA Important?

This training session provides you with REMINDERS of our organizational POLICIES
and how YOU are required to PROTECT PHI

Copyright HIPAA COW 13

Why is Privacy and Security Training
Important?
Outlines ways to prevent accidental and intentional
misuse of PHI.
Makes PHI secure with minimal impact to staff and
business processes.
Its not just about HIPAA its about doing the
right thing!
Shows our commitment to managing electronic
protected health information (ePHI) with the same care
and respect as we expect of our own private
information

Copyright HIPAA COW 14

 Why is Privacy and Security Training Important?

It is everyones responsibility to take the confidentiality of patient

information seriously.
Anytime you come in contact with patient information or any
PHI that is written, spoken or electronically stored, YOU become
involved with some facet of the privacy and security regulations.
The law requires us to train you.
To ensure your understanding of the Privacy and Security Rules
as they relate to your job.

Copyright HIPAA COW 15

 Section III
HIPAA Definitions
 HIPAA Definitions
What is Protected Health Information (PHI)?

Protected Health Information (PHI) is individually identifiable

health information that is:
Created or received by a health care provider, health plan,
employer, or health care clearinghouse and that
Relates to the past, present, or future physical or mental
health or condition of an individual;
Relates to the provision of health care to an individual
The past, present or future payment for the provision of
health care to an individual.

Copyright HIPAA COW 17

 HIPAA Definitions
What Does PHI Include?

Information in the health record, such as:

Encounter/visit documentation
Lab results
Lab
Appointment dates/times
Invoices
Radiology films and reports
Physic
History and physicals (H&Ps) X-Ray
al
Patient Identifiers

Copyright HIPAA COW 18

 HIPAA Definitions
What are Patient Identifiers?

PHI includes information by which the identity of a patient can be

determined with reasonable accuracy and speed either directly or by
reference to other publicly available information.

Copyright HIPAA COW 19

 HIPAA Definitions
What Are Some Examples of Patient Identifiers?

Names Web universal resource locaters

Medical Record Numbers (URLs)
Social Security Numbers Any dates related to any individual
Account Numbers (date of birth)
License/Certification numbers Telephone numbers
Vehicle Identifiers/Serial Fax numbers
numbers/License plate numbers Email addresses
Internet protocol addresses
Biometric identifiers including
Health plan numbers
finger and voice prints
Full face photographic images and
any comparable images
Any other unique identifying
number, characteristic or code

Copyright HIPAA COW 20

 HIPAA Definitions
What Are Uses and Disclosures?

Uses Disclosures:
When we review or use When we release or
PHI internally (i.e. audits, provide PHI to someone
training, customer service, (i.e. attorney, patient or
or quality improvement). faxing records to another
provider).

Copyright HIPAA COW 21

 HIPAA Definitions
What is Minimum Necessary?

To use or disclose/release only the minimum necessary to accomplish

intended purposes of the use, disclosure, or request.
Requests from employees at [Organization]:
Identify each workforce member who needs to access PHI.
Limit the PHI provided on a need-to-know basis.
Requests from individuals not employed at [Organization]:
Limit the PHI provided to what is needed to accomplish the purpose
for which the request was made.

Copyright HIPAA COW 22

 HIPAA Definitions
What is Treatment, Payment and Health Care Operations (TPO)?

HIPAA allows Use and/or Disclosure of PHI for purpose of:

Treatment providing care to patients.
Payment the provision of benefits and premium payment.
Health Care Operations normal business activities (i.e. reporting, quality
improvement, training, auditing, customer service and resolution of grievances data
collection and eligibility checks and accreditation).

Copyright HIPAA COW 23

 Section IV
HIPAA Enforcement
 Why Do We Need to Protect PHI?
Its the law.
To protect our reputation.
To avoid potential withholding of federal Medicaid and Medicare
funds.
To build trust between providers and patients.

If patients feel their PHI will be kept confidential, they will be more likely to share information needed for care.

[p

Copyright HIPAA COW 25

 Who or What Protects PHI?
Federal Government protects PHI through HIPAA regulations
Civil penalties up to $1,500,000/year for identical types of violations.
Willful neglect violations are mandatory!
Criminal penalties:
$50,000 fine and 1 year prison for knowingly obtaining and
wrongfully sharing information.
$100,000 fine and 5 years prison for obtaining and disclosing through
false pretenses.
$250,000 fine and 10 years prison for obtaining and disclosing for
commercial advantage, personal gain, or malicious harm.
Our organization, through the Notice of Privacy Practices (NPP).
You, by following our policies and procedures.
You

Organizatio
n
Governmen
t

Copyright HIPAA COW 26

 Enforcement
How are the HIPAA Regulations Enforced?

The Public. The public is educated about their privacy rights

and will not tolerate violations! They will take action.
Office For Civil Rights (OCR). The agency that enforces the
privacy regulations providing guidance and monitoring
compliance.
Department of Justice (DOJ). Agency involved in criminal
privacy violations. Provides fines, penalties and imprisonment
to offenders.
Department of
Justice

HIPAA Office for Civil Rights

Enforcement

Public

Copyright HIPAA COW 27

Section V
Patient Rights
 HIPAA Regulations
What Are the Patients Rights Under HIPAA?
The Right to Individual Privacy
The Right to Expect Health Care Providers Will
Protect These Rights

Other Patient Rights Include: Access, Communications, Special Requests,

Amendment, Accounting of Disclosures, Notice of Privacy Practices and
Reminders, and the Right to File Complaints.

Copyright HIPAA COW 29

 Patient Rights
Notice of Privacy Practices (NPP)
What is the purpose of the NPP?
Summarizes how [Organization] uses and discloses
patients PHI.
Details patients rights with respect to their PHI
The Organization must request that new patients sign the
NPP acknowledgment form at the time of their first visit.
Patients sign the Acknowledgment of Receipt to confirm
that they have been offered and/or received the NPP.
If unable to obtain a signed Acknowledgement, the
Organization must document its good faith efforts to
obtain such acknowledgement and the reason why it
could not obtain it.

Copyright HIPAA COW 30

 Patient Rights
Access and Inspect PHI
Patients have the right to inspect and copy their PHI.
However, there are some situations where access may be denied or delayed:
Psychotherapy notes.
PHI compiled for civil, criminal or administrative action or proceedings.
PHI subject to CLIA Act of 1988 when access prohibited by law.
If access would endanger a persons life or safety based upon professional
judgment.
If a correctional inmates request may jeopardize health and safety of the
inmate, other inmates or others at the correctional institution.
If a research study has previously secured agreement from the individual to
deny access.
If access is protected by the Federal Privacy Act.
If PHI was obtained under promise of confidentiality and access would reveal
the source of the PHI.

Copyright HIPAA COW 31

 Patient Rights
Request Alternate Communication
Patient has the right to request to receive communication by
alternative means or location. For example:
The patient may request a bill be sent directly to him instead of
to his insurance company.
The patient may request we contact her on cell phone instead of
home telephone number.

Copyright HIPAA COW 32

 Patient Rights
Special Access Request

Example: If a patient requests that we always call a family

member instead of her directly, what are some options:
Your organization may have specific form to complete
Your organization may have a policy to refer such requests to
Patient Relations or another customer service department
Usually, organization will have a process in place to document the
patients wishes in his/her medical record

Copyright HIPAA COW 33

 Patient Rights
Request Amendment
Patient has the right to request an amendment or correction to PHI
However, may be a situation when request may be denied, including:
[Organization] did not create the information.
Record accurate according to health care professional that wrote it.
Information is not part of the [Organizations] record.
If a patient indicates there is an error in his/her record, what are some
options:
Your organization may have a specific form to be completed
Your organization may have process in place to direct requests to
Member Relations or another customer service department
Usually, an approved amendment will be directed to the Health
Information Management Department or Privacy Officer

Copyright HIPAA COW 34

 Patient Rights
Request Restriction
Record Restriction may be requested by the patient if he/she wishes to
change or restrict how your organization uses and discloses your PHI.
Organization must honor request to restrict disclosure to a health plan:
If the disclosure is for the purpose of carrying out payment or health care
operations and is not otherwise required by law; and
The PHI pertains to items and services paid by the patient or patient
representative in-full.
For all other requests for restrictions, organization must make reasonable
effort to honor request, but approval is not required
Organization typically has a form to complete to request the restriction
Patient may later revoke a request for record restriction.

Copyright HIPAA COW 35

 Patient Rights
Accounting of Disclosures
Accounting of Disclosures is a request for a list of disclosures of a patients
PHI that did not require an authorization or the opportunity for the patient to
agree or object.
Organization typically has a form to complete to request the accounting
The HIPAA rules require the organization to provide certain information
about the disclosure, such as date, name of person who received the PHI, a
description of the PHI and the purpose of the disclosure.

Individual may request accounting of disclosures as far back as six years

before the time of the request.
Organization must provide the first accounting without charge.
Subsequent requests for accountings by the same individual within a 12
month period may be charged a reasonable, cost-based fee, as long as the
organization provides notice to the individual.

Copyright HIPAA COW 36

 Patient Rights
Accounting of Disclosures (contd)
Accounting of Disclosures Does Not Include Disclosures For:
Treatment (to persons involved in the individuals care), payment
or health care operations.
Individual subject of PHI.
Incident to an otherwise permitted disclosure.
Disclosure based on individuals signed authorization.
For facility directory.
For national security or intelligence purposes.
To correctional facilities or law enforcement on behalf of
inmates.
As part of a limited data set (see 45 CFR s. 164.514).

Copyright HIPAA COW 37

 Patient Rights
Accounting of Disclosures (contd)
Accounting of Disclosures Does Include Disclosures For:

Required by law Organ/eye/tissue donations

For public health activities Research purposes
Victims of abuse, neglect, To avert threat to health and
violence safety
Health oversight activities For specialized government
Judicial/Administrative functions
proceedings About decedents
Law enforcement purposes Workers compensation
Releases made in error to an
incorrect person/entity (i.e.
breach)

Copyright HIPAA COW 38

 Section VI
HIPAA Privacy Requirements
 Personnel Designation
Privacy Officer
Privacy Officer Responsibilities
Development and implementation of the policies and
procedures of the entity
Designated to receive and address complaints regarding
Privacy
Provide additional information as requested about matters
covered by the Notice of Privacy Practices
Designation of the Privacy Officer must be documented

Copyright HIPAA COW 40

 Training
Members of the workforce who handle PHI require
training
Required upon hire and recommended annually
As material changes are implemented, training to appropriate
workforce members affected by that change
Documentation of the training, who attended, the topic covered
and date the training was held

Copyright HIPAA COW 41

 Safeguards
Implementation of administrative, physical and
technical safeguards (work in tandem with Security
rule).
Safeguard PHI from any intentional or unintentional

use or disclosure.
Limit incidental uses and disclosures that occur as a

result of otherwise permitted or required uses and

disclosures.
Example: create safeguards to prevent others from
overhearing PHI.

Copyright HIPAA COW 42

 Patient Right
File Privacy Complaint
Individuals may file complaints with
[Organizations] Privacy Official regarding
health information privacy violations or
[Organizations] privacy compliance program.
Individuals may file complaints with the

Department of Health and Human Services

Office of Civil Rights.

Copyright HIPAA COW 43

 Sanctions

Develop and apply appropriate sanctions for the non-

compliance with [Organizations] policies and
procedures.
Document sanctions that are applied.

NOTE: Sanctions can be referred to as discipline or

corrective action.

Copyright HIPAA COW 44

 Mitigation

[Organization] must mitigate, to the extent practicable,

any harmful effects known to the [Organization] of a
use or disclosure of PHI (by the Covered Entity or
Business Associate) in violation of the [Organizations]
policies and procedures or the requirements of the
Privacy Rule.

Copyright HIPAA COW 45

 Refraining From
Intimidating or Retaliatory Acts
[Organization] may not intimidate, threaten, coerce,
discriminate against, or take other retaliatory action
against:
Individuals for exercising their rights or filing a complaint;
Individuals and others for:
Filing a complaint with the Secretary;
Testifying, assisting, or participating in an investigation,
compliance review, proceeding, or hearing; or
Good faith opposition to a prohibited act or practice

Copyright HIPAA COW 46

 Waiver of Rights

[Organization] cannot require an individual

to waive their rights provided under this
rule for the purpose of providing treatment,
payment or enrollment in a health plan or
eligibility for benefits.

Copyright HIPAA COW 47

 Policies and Procedures
[Organization] must implement policies and procedures
designed to comply with the Breach and Privacy Rules.
[Organization ] must change policies and procedures as
necessary and appropriate to comply with changes in the law
and maintain consistency between policies, procedures and
the Notice of Privacy Practices.
[Organization] must document all changes made to policies
and procedures and maintain all policies for 6 years.
[Organization] must train employees on changes made to
policies and procedures.

Copyright HIPAA COW 48

 Documentation
[Organization] must maintain all documentation for 6
years from the date of its creation, including:
Policies and procedures in written or electronic form;
Communications in written or electronic form when such
communications are required in writing;
Written or electronic records of actions, activities, or
designations as required.

Corrective
Event Investigation Resolution Documentation
Action

Copyright HIPAA COW 49

 Definition of PHI Misuse
The following activities occurring in the absence of patient
authorization are considered misuse of protected health information
(PHI):
Access
Using
Taking
No! You must
have
Possession
authorization
first!f!
Release
Editing
Destruction

Copyright HIPAA COW 50

 Types of Privacy Violations
Type I -- Inadvertent or Unintentional Disclosure
Inadvertent, unintentional or negligent act which violates policy and which may
or may not result in PHI being disclosed.
Disciplinary action for a Type I disclosure will typically be a verbal warning,
re-education, and review and signing of the Confidentiality Agreement.
However, disciplinary action is determined with the collaboration of the
Privacy Officer, Director of Human Resources and the department manager.
Type II Intentional Disclosure
Intentional act which violates the organizations policies pertaining to that PHI
which may or may not result in actual harm to the patient or personal gain to
the employee.
Breach notification processes will be followed as described in the Breach
Notification Policy.

Copyright HIPAA COW 51

 Section VII
Breach Notification Rule
 Breach Notification
Definition of Breach (45 C.F.R. 164.402)

Impermissible use or disclosure of (unsecured) PHI is assumed to

be a breach unless the covered entity or business associate,
demonstrates a low probability that the PHI has been
compromised based on a risk assessment.

Copyright HIPAA COW 53

 Breach Notification
Unsecured PHI

Unsecured protected health information means protected health

information (PHI) that is not rendered unusable, unreadable, or
indecipherable to unauthorized persons through the use of a technology or
methodology required by the Breach Notification Rule.

Copyright HIPAA COW 54

 Breach Notification
Risk Assessment

Risk Assessment under the Final Rule requires consideration of

at least these four factors:
The nature and extent of the PHI involved, including the types

of identifiers and the likelihood of re-identification;

The unauthorized person who used the PHI or to whom the

disclosure was made;

Whether the PHI was actually acquired or viewed; and

The extent to which the risk to the PHI has been mitigated

Copyright HIPAA COW 55

 Breach Notification
Risk Assessment Factor #1

Evaluate the nature and the extent of the PHI involved, including types of
identifiers and likelihood of re-identification of the PHI:
Social security number, credit card, financial data (risk of
identity theft or financial or other fraud)
Clinical detail, diagnosis, treatment, medications
Mental health, substance abuse, sexually transmitted
diseases, pregnancy

Copyright HIPAA COW 56

 Breach Notification
Risk Assessment Factor #2
Consider the unauthorized person who impermissibly used the PHI or to
whom the impermissible disclosure was made:
Does the unauthorized person who received the information have
obligations to protect its privacy and security?
Is that person workforce of a covered entity or a business associate?
Does the unauthorized person who received the PHI have the wherewithal
to re-identify it?

Copyright HIPAA COW 57

 Breach Notification
Risk Assessment Factor #3
Consider whether the PHI was actually acquired or viewed or if only
the opportunity existed for the information to be acquired or viewed
Example:
Laptop computer was stolen, later recovered and IT analysis shows that PHI
on the computer was never accessed, viewed, acquired, transferred, or
otherwise compromised
The entity could determine the information was not actually acquired by an
unauthorized individual, although opportunity existed

Copyright HIPAA COW 58

 Breach Notification
Risk Assessment Factor #4

Consider the extent to which the risk to the PHI has been mitigated:
Example: Obtain the recipients satisfactory assurance that information
will not be further used or disclosed
Confidentiality Agreement
Destruction, if credible
Reasonable Assurance

Copyright HIPAA COW 59

 Breach Notification
Risk Assessment Conclusion

Evaluate the overall probability that the PHI has been compromised by
considering all the factors in combination (and more, as needed)
Risk assessments should be:
Thorough
Performed in good faith
Conclusions should be reasonably based on the facts
If evaluation of the factors fails to demonstrate low probability that the
PHI has been compromised, breach notification is required

Copyright HIPAA COW 60

 Breach Notification
When Risk Assessment Not Required

A covered entity or business associate has the discretion to

provide the required notifications following an impermissible use
or disclosure or protected health information without performing
a risk assessment

Copyright HIPAA COW 61

 Breach Notification
Safe Harbor
Guidance Specifying the Technologies and Methodologies that Render
Protected Health Information Unusable, Unreadable, or Indecipherable to
Unauthorized Individuals
No breach notification required for PHI that is encrypted in accordance
with the guidance

Copyright HIPAA COW 62

 Breach Notification
Discovery of Breach

A breach is treated as discovered:

On first day the breach is known to the covered entity, or
In the exercise of reasonable diligence, it should have been known to the
covered entity.
Notification time period for a breach begins when the organization did or
should have known it existed

63
Copyright HIPAA COW
 How Do Privacy Violations Happen?

Fax Document to Wrong Location

Hello, this is Pizza Plaza on Stark Street. Did you mean
to fax me this lab result for Fred Flintstone?

Enter Incorrect Medical Record Number

I guess I was just typing too fast.

Forgetting to Verify Patient Identity

There were seven patients with the name Barney Rubble.
I should have confirmed his date of birth.

Copyright HIPAA COW 64

 Section VIII
Release of Information

Copyright HIPAA COW 65

Release of Information (ROI)

When releasing PHI, it is important to know when a patients

authorization is required. Patient authorizations are governed by
state and federal law.

Copyright HIPAA COW 66

 Release of Information
Applying the Steps

I received a request to release PHI. What now?

Is the individual's authorization required before [Organization Name]
can release PHI?
Under certain circumstances (e.g., treatment, payment, or health
care operations), the individuals authorization is not required
(more on this later).
An authorization is required for disclosures of PHI not otherwise
permitted by the Privacy Rule or more stringent state law.
If so, has the authorization been filled out completely and
correctly?

Copyright HIPAA COW 67

 Release of Information
Elements of a Valid Authorization
1. Individual's name
2. [Organization Name] (or a [Organization Name] employee or department)
as the party authorized to make the disclosure
3. Name of the person, organization or agency to whom the disclosure is to be
made
4. Purpose of the disclosure
5. Specific and meaningful description of the information to be disclosed
A. Note: If the release includes sensitive information (e.g., alcohol or drug abuse treatment
records, developmental disability records, HIV test results, reproductive health), these
must be affirmatively specified by the individual
6. The individual's right to revoke the authorization and either the exceptions
on the right to revoke and a description of how to revoke or a reference to
[Organization Name]s Notice of Privacy Practices as appropriate
7. Statement of the ability or inability to condition treatment, payment,
enrollment or eligibility for benefits

Copyright HIPAA COW 68

 Release of Information
Elements of a Valid Authorization (contd)
8. Statement on the potential for re-disclosure
9. If the release will involve marketing remuneration to [Organization Name],
a statement outlining this
10. If the authorization relates to Wisconsin Statute Chapter 51 treatment
records, the authorization must include a statement that the individual has a
right to inspect and receive a copy of the material to be disclosed
11. Expiration date or event
12. Time period during which the authorization is effective
13. Signature and date signed and
A. If signed by a personal representative, a description of his/her authority to sign and
relationship to individual must be provided
14. Must be written in plain language

If any element is missing, the authorization is not valid. Also, a copy of the
authorization must be provided to the individual.

Copyright HIPAA COW 69

 Release of Information
Evaluating Authorizations
Evaluating Authorizations:
Should the access be denied? Has the access been denied?
Is [Organization Name] providing only the information specified in the
authorization?
Is the authorization combined with another type of document to create an
inappropriate compound authorization?
In what form/format should the information be provided?
How much time does [Organization Name] have to respond
to the request?
What fees can/should be applied?

Note: If you are uncertain about any of these steps, ask [Organization]s Privacy Officer.

Copyright HIPAA COW 70

 Release of Information
An Authorization Mishap
The patients Authorization to Release Information stated
only the records from 2002 to 2006 should be sent to the
attorney. The Release of Information (ROI) Technician
didnt notice the limitation and sent documentation of a
motor vehicle accident in 2010. She lost her court case and
was fined $50,000.

The patient later filed a complaint with the ROI Technicians employer
and the Office for Civil Rights (OCR) and the ROI Technician was
fired

Copyright HIPAA COW 71

 Release of Information
When Authorization Not Required

Sometimes an authorization is not needed.

Read on to learn more.

Copyright HIPAA COW 72

 Release of Information
Permitted Uses and Disclosures of PHI Without Authorization

Uses and disclosures of PHI for (TPO):

Treatment
Payment
Health Care Operations
Disclosures required or permitted by law.
If use of the information does not fall under one of these categories you must
have the patients signed authorization (written permission) before sharing
that information with anyone.

Copyright HIPAA COW 73

 Release of Information
When Authorization Is and Is Not Required

When Authorization IS Required:

Use or disclosure of psychotherapy notes

Except in limited circumstances, use and disclosure of PHI for
marketing purposes
When selling PHI

When Authorization IS NOT Required:

Disclosures to the individual

Uses and disclosures for treatment by your physician
Uses and disclosures for quality assurance activities

Copyright HIPAA COW 74

 Release of Information
General Wisconsin Confidentiality Laws

Wisconsin laws may require authorizations, even though HIPAA doesnt

In 2014, Wisconsin passed the HIPAA Harmonization Law, at Wis. Stat.
s. 146.816, which aligns Wisconsins confidentiality law with HIPAA for
TPO uses and disclosures
The next few slides summarize a few of the more commonly used
Wisconsin confidentiality laws

Copyright HIPAA COW 75

 Release of Information
General Wisconsin Confidentiality Laws

Statute Summary
146.82, Wis. Covers general medical health care PHI and authorization
Stat. requirements

51.30, Wis. Covers PHI relating to mental health, AODA, and

Stat. developmentally disabled treatment, authorization
requirements, and penalties
DHS 92 Adm. Further covers confidentiality of mental health treatment
Code records (with 51.30)

DHS 144, Covers release of immunizations between vaccine

Adm. Code providers, and to schools specifically for minors

Copyright HIPAA COW 76

 Release of Information
General Wisconsin Confidentiality Laws

Statute Summary
102.13 & Covers records reasonably related to a workers
102.33 Wis. compensation claim and release to the employee (patient),
Stat. employer, workers compensation insurer, or Department
with a written request
610.70 Wis. Covers disclosure of personal medical information by
Stat. insurers
252.15, Wis. Covers health care information relating to HIV testing
Stat. and authorization requirements

Copyright HIPAA COW

77
 Release of Information
Another Regulation to Consider

Statute Summary
42 CFR, Part 2 Federal Alcohol and Drug Regulations which covers use
and release of a patients drug and alcohol abuse records
in a federally assisted program

Copyright HIPAA COW 78

 Release of Information
Restrictions and Alerts

Your organization may have restrictions or alerts designed to

bring an employees attention to specific information
For example:
Patient is adopted. Check [insert where to find flag/restriction] for
special instructions
Patient has authorized spouse to receive lab results on her behalf.
Check [insert where to find flag or restriction] for more information

Copyright HIPAA COW 79

 Release of Information
Identity Verification
Prior to releasing PHI, ask the individual to provide you with enough
information to identify the patient, such as:
Name
Date of Birth
Address
Other identifiers: Social security number, mothers maiden name
Identify someone other than the patient by requesting he or she provide
you with all the above information, as well as his or her relationship to the
patient.
Check a physical signature against a known one on file
Make a call-back to a known number
Ask for a photo ID
Ask for a business card
Provide only the minimum necessary to safeguard PHI.

Copyright HIPAA COW 80

 Release of Information
Authority Verification
Once you know who the requestor is, be sure he or she has the
right to access this information
Routine requests from employees you know in [the
organization] who have business related reason to obtain
information are authorized to do so
Unusual requests from individuals you dont know can be
risky, so before sharing PHI:
Ask your supervisor
And/or check [organizations] HIPAA Privacy Policies and Procedures

Copyright HIPAA COW 81

 Release of Information
Individual Needs to Find Patient In Any Setting
If an individual would like to find out if a patient is in our facility, but he or
she is not in our Facility Directory:
Do not confirm or deny the patient is here until you:
Obtain the names of the patient and individual making the request
Inform the requesting individual that if the patient is in our facility, and
agrees for us to notify them of this, you will
Privately call the department in which the patient is located
That department should ask the patient if their location and/or condition may be
released to this individual
If the patient agrees, provide information to requesting individual
If patient not in facility, or does not agree to notify the requesting individual
he/she is here, inform the requesting individual that you are unable to confirm
or deny whether or not the patient is in the facility

Copyright HIPAA COW 82

 Release of Information
Hospital Facility Directory

Use the following protected health information to maintain a

directory of individuals in its facility:
(A) Individuals name
(B) The individuals location in the health care providers facility
(C) Individuals general condition, no specific information
(D) The individuals religious affiliation
(E) Use of disclosure for directory purposes of such information
(F) To members of the clergy; or except religious affiliation, to others who
ask for individual by name

Copyright HIPAA COW 83

 Release of Information
Hospital Facility Directory (contd)
Patients have the right to opt out of having their information
disclosed from a facility directory. There may be State laws that
also apply as to what qualifies as directory information.

The patient must be provided an opportunity to express his or her

preference about how, or if, facility directory information may be
disclosed. Disclosure of directory information may still occur if
doing so is in the individuals best interest as determined in the
professional judgment of the provider and would not be
inconsistent with any known preference previously expressed by
the individual.

Copyright HIPAA COW 84

 Release of Information
Minimum Necessary

HIPAA requires reasonable steps to limit the use and

disclosures of, and requests for, protected health information to
the minimum necessary to accomplish the intended purpose.

The standard does not apply to the following:

Disclosures to or requests by a health care provider for treatment
purposes
Disclosures to the individual subject of the information
Uses or disclosures made pursuant to the individuals authorization
Use or disclosures required for compliance with Health Insurance
HIPAA administrative Simplification Rules
Disclosures to the Dept. of Health and Human Services (HHS) when
disclosure is required under the Privacy Rule for enforcement purposes
Uses or disclosures that are required by other laws

Copyright HIPAA COW 85

 Release of Information
Documentation
Document the release, when required by law, or
[Organizations] policies
Neither HIPAA nor Wisconsin law requires documentation of
disclosures for purposes relating to treatment (providing and
coordinating care); payment (billing for services rendered);
and health care operations (internal business)
HIPAA requires documentation of breaches and other releases
of information

Copyright HIPAA COW 86

 Release of Information
Documentation (contd)

Why do we have to document when we release

PHI (when required by law)?
Patients have the right to request a record of what PHI
was released and to whom (Accounting of Disclosures)
Documentation of releases of information
applies to both verbal and written disclosures

Copyright HIPAA COW 87

 Release of Information
Process

If you dont know for sure if information can be released:

Dont guess!
Contact [Organization] Privacy Officer at [insert number]
Contact HIM Department at [insert number]

Next, well move on to some release of information examples

Copyright HIPAA COW 88
 Release of Information
Family and Friends

Verbal disclosure of information permissible when:

Patient present and alert patient decides
Patient incapable to make wishes known inferred permission to
discuss current care
Needed for care or payment
Information needed for patients care
Family member/friend must clearly be involved in payment for care
(involvement is obvious, patient stated so)
Notify family or friend(s) who are involved in patients care
of:
Patients general condition
Patients location
Patient being ready for discharge
Patients death
Disclosures of this nature exclude paper copies

Copyright HIPAA COW 89

 Release of Information
Divorced Parents
A divorced parent calls to get information on their
child. Can you release it?
If the parents are divorced, either parent may get access to the records
with a proper release. Assume that they can get records unless told
otherwise.
When parental rights are in question:
Obtain the court documents for the childs file from one of the parents.
If parental rights for physical placement have been terminated,
Wisconsin law allows only the parent with sole physical placement to
access records.

Copyright HIPAA COW 90

 Release of Information
Legal Guardians
An individual calls to discuss appointment information with you for a patient and
states he is the patients legal guardian. May I discuss with the individual?
Yes, after obtaining the court documents appointing the individual as
the patients Legal Guardian.
Make a copy of the court documents for the patients file.
Confirm that the information being provided is appropriate and
necessary.
If unable to obtain court documents verifying legal guardianship, do
not discuss PHI with the individual.

Copyright HIPAA COW 91

 Release of Information
Step-Parents

A step parent calls to discuss her stepchilds care. May you discuss this with
her?
No, unless the step-parent is a legal guardian and [Organization] has
the guardianship papers on file, or a legal guardian has provided
authorization.
Step-parents may call to schedule appointments, but do not have
access to their stepchildrens PHI without authorization by a legal
guardian.

Copyright HIPAA COW 92

 Release of Information
Foster Parents

What are the release of information rules for foster parents?

A foster parent must provide a copy of their WI drivers license or state ID and one or more of
the following:
Foster Parent ID Card (state-issued)
Foster Parent Authorization Form (signed by biological parent or another individual of the
proper authority). This form will describe the foster parents rights in health care situations.
(Note: this may be limited)
If the foster parent cannot produce these documents, are there other options?
Provide [organization] with name and phone number of their [Insert County]Social Worker
[Organization] may call the Foster Parent Intake Line at [Insert phone number] to confirm
[Organization] may call either biological parent, if information available, to confirm status.
Give foster parent the [organization] authorization form, if available, indicating that it must be
signed by a biological parent and returned to [organization].

Copyright HIPAA COW 93

 Release of Information
Power of Attorney

The Designated Agent on patients power of attorney (POA) for health

care contacted me to discuss the patients care. May I discuss?
It depends. The Designated Agents rights to access care, treatment
and payment information are not effective until the patient is declared
incapacitated by two physicians or one physician and one therapist
(with few exceptions)
The POA must be reviewed in detail to ensure the requested
information is consistent with the rights outlined in the document.
A Declaration of Incapacity Form should be submitted prior to
honoring a request from the designated agent.

Copyright HIPAA COW 94

 Release of Information
Disclosure of Workers Compensation PHI to Employer

What information can be disclosed in response to a Workers

Compensation request?
We may disclose only those records reasonably related to the
Workers Compensation claim/condition without an
authorization
Patients written authorization is required to release any PHI
unrelated to the Workers Compensation claim

Copyright HIPAA COW 95

 Release of Information
To Another Facility
Can I release a patients address and/or insurance information
to a nursing home?
Yes, if you know the requesting individual and the
request is legitimate
If you are unfamiliar with the individual requesting the
information, ask for the following in writing:
Patients name, date of birth, and address
Why the information is needed
Specific reason (e.g. treatment or payment)
The requestors name, name of the nursing home, and a direct telephone
to the nursing home (switchboard)
If uncertain, obtain patient authorization

Copyright HIPAA COW 96

 Release of Information
Leaving Messages
A spouse answers the phone, or voice mail picks up. What information
may I provide?
State your first name and that you are calling from [Organization
name] (include the site).
Ask the patient to return your call, and provide your direct phone
number.
Do not provide lab results, or other detailed information, other than
an appointment reminder.
Example: This is Sally from [Organization] calling for Johnny Doe.
Please call me back at your earliest convenience at [number]. Thank
you.
Ensure call is disconnected.

Copyright HIPAA COW 97

 Release of Information
Item Pick Up
An individual arrives requesting to pick up a prescription for his
neighbor. Now what?
Request he provide you with the patients name, date of birth,
address, and relationship to the patient.
Confirm the patients and requestors information matches what the
patient provided when informing [organization] this individual was
picking up the prescription.
If information is consistent, we can be assured that the patient
requested prescription pick-up by this individual (according to
Item Pick Up Policy).
Request that the individual sign the Item Pick Up Form and provide
him with the prescription.

Copyright HIPAA COW 98

 Release of Information
Faxing PHI

May PHI Be Transmitted via Fax Machine?

Yes, but only when in best interest of patient care or payment of
claims.
Faxing sensitive PHI, such as HIV, mental health, AODA, and
STDs is strongly discouraged.
It is best practice to test a fax number prior to transmitting
information. If this is not possible:
Restate the fax number to the individual providing it.
Obtain telephone number to contact the recipient with any
questions.
Do not include PHI on the cover sheet.
Verify you are including only correct patients information (i.e.
check the top and bottom pages).
Double check the fax number prior to transmission

Copyright HIPAA COW 99

 Release of Information
E-Mail
We may not communicate with patients through e-mail at this time.
The patient portal will provide the opportunity to electronically
communicate with our patients.
When sending ePHI to other organizations for required business
functions (i.e. treatment, payment or healthcare operations), encrypt the
email per [organizations] procedures.

Note to Organization: Depending on your Email policy, include either this slide, or the next, but not both

Copyright HIPAA COW 100

 Release of Information
E-Mail (contd)
We may communicate with patients through e-mail only if
the patient has signed the organizations privacy and
security E-Mail Agreement.
When sending ePHI to anyone for treatment, payment or
healthcare operations, encrypt the e-mail per
[Organizations] procedures, and verify the organizations
confidentiality disclaimer is included.

Note to Organization: Depending on your Email policy, include either this slide, or the previous, but not both

Copyright HIPAA COW 101

 Section IX
HIPAA Security Rule

Copyright HIPAA COW 102

 HIPAA Security Rule
In general, the HIPAA Security Rule requires
covered entities and business associates to do the
following:
Implement administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality,
integrity, and availability of electronic protected health
information (ePHI) that is created, received, maintained or
transmitted.
Protect against any reasonably anticipated threats or hazards
to the security or integrity of ePHI.
Protect against any reasonably anticipated uses or disclosures
of ePHI that are not permitted or required under the Privacy
Rule.
Ensure compliance with security by its workforce.

Copyright HIPAA COW 103

How We Apply the Security Rule
Administrative Safeguards
Policies and procedures are REQUIRED and must
be followed by employees to maintain security (i.e.
disaster, internet and e-mail use)

Technical Safeguards
Technical devices needed to maintain security.
Assignment of different levels of access
Screen savers
Devices to scan ID badges
Audit trails

Physical Safeguards
Must have physical barriers and devices:
Lock doors
Monitor visitors
Secure unattended computers

Copyright HIPAA COW 104

How We Apply the Security Rule
Policies and Procedures
Internet Use
Access only trusted, approved sites
Dont download programs to your workstation

E-Mail
Keep e-mail content professional
Use work e-mail for work purposes only
Dont open e-mails or attachments if you are suspicious of
or dont know the sender
Dont forward jokes
Follow [Organizations] policy for sending secure E-mails

Copyright HIPAA COW 105

 How We Apply the Security Rule
ePHI Access

How Do We Control ePHI Access?

User names and passwords
Biometrics
Screen savers
Automatic logoff

Copyright HIPAA COW 106

 Access to ePHI
Information Access Management

[Organization]must implement technical policies

and procedures for electronic information
systems that maintain ePHI to allow access only
to those persons or software programs that have
been granted access rights as specified in the
HIPAA Security Rule

Copyright HIPAA COW 107

 Access to ePHI
User Names

[Organization]must assign a unique name and/or

number for identifying and tracking user identity. It
enables an entity to hold users accountable for
functions performed on information systems with
ePHI when logged into those systems.

Copyright HIPAA COW 108

 Access to ePHI
Passwords

The Security Rule requires [organization] to implement

procedures regarding access controls, which can include
the creation and use of passwords, to verify that a person
or entity seeking access to ePHI is the one claimed.
The use of a strong password to protect access to

ePHI is an appropriate and expected risk

management strategy.

Copyright HIPAA COW 109

 Access to ePHI
User Names and Passwords

What Makes a Strong Password?

Use at least 6-8 characters.
Use a minimum of 2 letters and 1 number, and capital and lower case
letters
Use a pass-phrase such as MbcFi2yo (My brown cat Fluffy is two
years old)
Do not use passwords that others may be able to guess:
Spouses Name, Pet or Childs Name
Significant Dates
Favorite sports teams

User Names and Passwords are required by the HIPAA Security Rule

Copyright HIPAA COW 110

 What Can I Do to Help Protect
Our Computer Systems and Equipment?
Workstation use
Restrict viewing access to others
Follow appropriate log-on and log-off procedures
Lock your workstation, press Ctrl-Alt-Del or Windows key + L
Use automatic screen savers that lock your computer when not in use
Do not add your own software and do not change or delete ours
Know and follow organizational policies
If devices are lost, stolen or compromised, notify your supervisor
immediately!
Do not store PHI on mobile devices unless you are authorized to do so and
appropriate security safeguards have been implemented by your
organization

Copyright HIPAA COW 111

 E-Mail Security
Appropriate use of e-mail can prevent the accidental disclosure of
ePHI. Some tips or best practices include:
Use email in accordance with policies and procedures defined by
the [Organization].
Use e-mail for business purposes and do not use e-mail in a way
that is disruptive, offensive, or harmful.
Verify email address before sending.
Include a confidentiality disclaimer statement.
Dont open e-mail containing attachments when you dont know
the sender.

Copyright HIPAA COW 112

 Audit Controls
The Security Rule requires organizations to implement hardware,
software, and/or procedural mechanisms that record and examine
activity in electronic information systems that contain or use ePHI.
Organizations should define the reasons for establishing audit trail
mechanisms and procedures for its electronic information systems
that contain ePHI.
Reasons may include, but are not limited to,
System troubleshooting
Policy enforcement
Compliance with the Security Rule
Mitigating risk of security incidents
Monitoring workforce member activities and actions

Copyright HIPAA COW 113

 Section X
PHI Safeguarding Tips

What else can I do to protect our patients PHI?

Copyright HIPAA COW 114

 Safeguarding PHI
Confidentiality

Securing information from improper disclosure also includes

Sharing PHI with only those that need to know (direct care workers, staff) in a
discreet manner
Refraining from discussing patient visits, conditions, progress, etc. with family,
friends, neighbors, and co-workers that do not have a need to know
Ensuring the disclosure of information reaches the intended
person:
Validating fax numbers prior to faxing PHI
Verification of identity prior to releasing information without the patient present
Requesting verbal authorization from the patient to discuss their health, conditions,
etc. with those that may be present

Copyright HIPAA COW 115

 Safeguarding PHI
Availability

Ensuring those that require information for proper treatment, payment or

health care operations have access to the information they need to fulfill
their job obligations
Limiting the access to information to those that do not require access to
perform the obligations of their job
Secure workstations by logging off, using strong passwords and keeping
passwords confidential

Copyright HIPAA COW 116

 Safeguarding PHI
Integrity

Ensuring the electronic transmission of data is secured in a manner to

protect the integrity of the data. Protecting data integrity may include
using:
Secure e-mail or
Organization communication portals that transfer files within or
external to the organization for treatment, payment or operation
purposes

Copyright HIPAA COW 117

 Safeguarding PHI
Family, Friends, You and PHI

Do not share with family, friends, or anyone else a patients

name, or any other information that may identify him/her, for
instance:
It would not be a good idea to tell your friend that a
patient came in to be seen after a severe car accident.
Why? Your friend may hear about the car accident on the
news and know the person involved
Do not inform anyone that you know a famous person, or
their family members, were seen at this organization

Copyright HIPAA COW 118

 Safeguarding PHI
Media and PHI

If I am contacted by the media, may I release PHI to them?

If I am contacted by an individual offering to pay me for PHI,
may I release it to them?
No! You may not release PHI under either of these
circumstances. Both are grounds for disciplinary action.
Refer the requestor to the Privacy Officer.

Copyright HIPAA COW 119

 Safeguarding PHI
Delivery of PHI
I need to transport paper records/PHI to another department. Is this okay?
Yes, you may transport documents to another department.
Secure so you dont drop them:
Carry them close to your person.
Carry them in a facility designated bag, box, or container.
Ensure no names are visible.
Ensure no records are left unattended.

Copyright HIPAA COW 120

 Safeguarding PHI
Transporting PHI Offsite
When necessary to transport PHI externally:
Place in a locked briefcase, closed container, sealed, self-addressed
interoffice envelope;
Place PHI in the trunk of your vehicle, if available, or on the floor
behind the front seat;
Lock vehicles when PHI is left unattended
[Include if this applies to your organization]: You may not transport
patient charts between departments or offsite unless authorized by the
Director of Health Information Management.

Copyright HIPAA COW 121

 Safeguarding PHI
Inter-Office Mail and PHI

Send all PHI in sealed Inter-Office envelopes

Verify all PHI was removed from the envelope before
stuffing it
Address to correct individual and department
Mark the envelope confidential
Confirm you are sending correct PHI

Copyright HIPAA COW 122

 Safeguarding PHI
Paper

Turn over/cover PHI when Dont leave documents

you leave your desk/cubicle containing PHI unattended in
so others cannot read it. fax machines, printers, or
If you have an office, copiers.
you have the option of Check your fax machine
closing your door frequently so documents are not
instead. left on the machine.
Turn over/cover PHI when a
coworker approaches you to
discuss something other than
that PHI.

Copyright HIPAA COW 123

 Safeguarding PHI
Disposal

How should I dispose of confidential paper?

Shred or place all confidential paper in the designated
confidential paper bins.

How should I dispose of electronic media (floppy disk, CD,

USB Drive, etc.)?
Provide electronic media to the IS Department for proper
disposal

Copyright HIPAA COW 124

 Facility Security
Protecting Our Patients Physical Security

How can I help protect our facilities?

Wear your ID Badge at all times (helps identify you as an
[Organization] employee/provider).
Only let employees enter through employee entrances with you.
Keep hallway doors that lead to patient care areas closed.
Request vendors and contracted individuals to sign-in and
obtain Vendor ID Badges when visiting a restricted area.

Copyright HIPAA COW 125

 What are Restricted Areas?
Restricted areas are those areas within our facilities where PHI
and/or organizationally sensitive information is stored or
utilized
Receptionist stations
Business office windows
HIM Department
Patient care hallways/treatment areas
Offices
Storage closets and cabinets
Accounting, Human Resources, Administration Offices, IS
Department, etc.
Employee meeting/rooms/kitchens in the departments
Areas containing potential safety hazards (ex. medical imaging, lab,
nuclear medicine, etc.

If you see someone in a restricted area not wearing a badge, kindly ask May I help you? Then escort the individual out of the
restricted area and to the area he/she is visiting.
Copyright HIPAA COW 126
 Section XI
Business Associate Agreements

Copyright HIPAA COW 127

 Business Associate Agreements
If you initiate negotiations to contract with a company to perform, or assist
in the performance of a function or activity involving the use or disclosure
of PHI, please contact the [Organization Privacy Officer] to obtain a
Business Associate Agreement (BAA).

Examples of when to obtain a BAA with a company include:

Claims processing or administration, data analysis, processing or
administration, utilization review, quality assurance, billing, benefit
management, practice management, and repricing; and
Legal, actuarial, accounting, consulting, data aggregation, management,
administrative, accreditation, or financial services.

Copyright HIPAA COW 128

Business Associates Include

Companies that maintain PHI on behalf of a Covered Entity

(CE)
Data storage company
Patient safety organizations
Companies that transmit PHI to a Covered Entity

Copyright HIPAA COW 129

 Business Associates (contd)
Business Associates Also Include:
Personal Health Record vendors
Subcontractors to Business Associates that create, receive, maintain
or transmit PHI on behalf of the Business Associate.

Copyright HIPAA COW 130

 Business Associates (contd)
Requirements

Limit uses and disclosures of PHI to minimum necessary

Enter into a BAA with their subcontractors
Comply with the BAA and the same HIPAA; administrative, physical and
technical safeguard rules as covered entities (CEs)
Report to CE Breach of Unsecured PHI
Comply with Privacy Rule to extent it must carry out a CEs obligation
under Privacy Rule

Copyright HIPAA COW 131

 Other Confidentiality Agreements
When initiating a contract with a company to perform work for
[organization] which will not have direct access to PHI, request a
Confidentiality Agreement be signed and forwarded to the [Organization
Privacy Officer].

Copyright HIPAA COW 132

 Section XII
HIPAA Violations and Complaints
 HIPAA and Your Role
Remember, it is your responsibility, as a [Organization] employee or
provider, to comply with all privacy and security laws, regulations,
and [Organizations] policies pertaining to them.
Employees and providers suspected of violating a privacy or security
law, regulation, or [Organization] policy are provided reasonable
opportunity to explain their actions.
Violations of any law, regulation, and/or [Organization] policy will
result in disciplinary action, up to and including termination,
according to [Organization] HR Policy #.

Copyright HIPAA COW 134

 HIPAA Violations
Three types of violations:
Incidental
Accidental
Intentional
Insert [Organizations] policy regarding types of

violations and levels disciplinary action provided.

How much is enough? How much is too much?

Copyright HIPAA COW 135

 Incidental Violations
If reasonable steps are taken to safeguard a patients information and a visitor
happens to overhear or see PHI that you are using, you will not be liable for
that disclosure.
Incidental disclosures are going to happen (even in the best of
circumstances).

An incidental disclosure is not a privacy incident and does not require documentation

Copyright HIPAA COW 136

 Accidental Violations
Mistakes happen. If you mistakenly disclose PHI or
provide confidential information to an unauthorized
person or if you breach the security of confidential data,
you must
Acknowledge the mistake and notify your supervisor and the Privacy
Officer immediately.
Learn from the error and help revise procedures (when necessary) to
prevent it from happening again.
Assist in correcting the error only as requested by your leader or the
Privacy Officer. Dont cover up or try to make it right by yourself.

Accidental disclosures are privacy incidents and must be reported to your Privacy Officer immediately!
Documentation of Accidental Disclosures is required.

Copyright HIPAA COW 137

 Intentional Violations
If you ignore the rules and carelessly or deliberately use or
disclose protected health or confidential information, you can
expect:
Disciplinary action, up to and including termination
Civil and/or criminal charges
Examples of Intentional Violations of Privacy Include:
Accessing PHI for purposes other than assigned job responsibilities
Attempting to learn or use another persons access information

If youre not sure about a use or disclosure, check with your Supervisor or the Privacy Officer

Copyright HIPAA COW 138

 Reporting HIPAA Violations
If you are aware or suspicious of an accidental or
intentional HIPAA violation, it is your responsibility to
report it.
[Organization] may not intimidate, threaten, coerce,
discriminate against, or take other retaliatory action
against anyone who in good faith reports a violation
(whistleblowing).
Refer to the [HIPAA Intranet page] for more examples
of what to report.

Copyright HIPAA COW 139

 Its Important!
You Must Report HIPAA Violations
So they can be investigated, managed, and documented
So they can be prevented from happening again in the future
So damages can be kept to a minimum
To minimize your personal risk
In some instances, management may have to notify affected parties
of lost, stolen, or compromised data

Incidental disclosures need not be reported, but if youre not sure, report them anyway

Copyright HIPAA COW 140

 Patient Complaints

We Must Respond to Privacy and Security Complaints

All Privacy Complaints Must Be Reported

Copyright HIPAA COW 141

 How Do I Report
HIPAA Privacy Violations?

Directly to your Supervisor, who in turn reports it to the

[Organizations] Privacy Officer
Call or email the Privacy Officer
Complete a HIPAA Incident Report form (#) which is
located [on the HIPAA Intranet page]
Email the internal HIPAA Hotline email group
Note: this is not anonymous as the sender will be known
Leave a message on the HIPAA Hotline [insert #]

Copyright HIPAA COW 142

 How Do I Report
HIPAA Security Violations?

Same as for Privacy Violations, except instead of

reporting to the Privacy Officer, report to the
[Organizations] HIPAA Security Officer
You may also call or email the [Organizations]
Technical Security Officer, Information Services Help
Desk, or Director of Information Services

Copyright HIPAA COW 143

 HIPAA Information
Want More Information About HIPAA Privacy and Security?

Check out our website at www.hipaacow.com

Copyright HIPAA COW 144

 Comments or Questions?
Not sure which way to go?

Contact your Contact your

Privacy Officer at: Security Officer at:
(phone) (phone)
(pager) (pager)
(email) (email)

Copyright HIPAA COW 145

Section XIII
Discussion Slides
 I Got the Fever!
And I Got Here First

Your daughters school just called. She has a fever and

you need to pick her up immediately. You know shell
need to see her pediatrician (who just happens to work
down the hall) so you access her medical record to
schedule an appointment quick before another patient
gets the available time slot. Is this access permissible?

Does it make a difference if your daughter has a different last name than you?
The audit trail report wouldnt show an obvious inappropriate access.right?

Copyright HIPAA COW 147

I Know Something You Dont Know!

Youre a Lab Technician. You just processed a

positive blood alcohol test for a patient you later
learned was your neighbors soon-to-be ex-
husband. This information will be very useful in
court to strengthen her case for full custody of
the kids. Can you disclose the information to
your neighbor?

Copyright HIPAA COW 148

 I Was Just Concerned!
Your co-worker, Joan, hasnt been at work the last 3 days and
youre starting to get worried about her. You consider her a friend
and conclude shed be hurt if you dont call her. You dont have
her phone number. But its in the electronic medical record! You
wait until your supervisor goes to lunch, log on and look up Joans
phone number. Is this ok?

Consider This: While looking up her phone number you notice she has a
diagnosis of breast cancer on her problem list.

Copyright HIPAA COW 149

 I Just Needed a Gallon of Milk!
Youre a RN at the downtown clinic. This morning you saw 6-
year old, Allison for a strep test. On the way home from work you
you stop at Woodmans for a few things. Walking through the
Frozen Foods, you run into Allisons mom, Sherry.

Im so glad I ran into you! Did you get the strep results yet? It would be
great if I knew now so I could pick up the prescription tonight, get her started
on the antibiotics and back to school sooner. Can you disclose to Allisons
mom?

Copyright HIPAA COW 150

 As The World Turns
Youre a CMA at the downtown clinic. You recently started dating the
spouse of one of clinic patients and its gotten pretty serious. He has a
teenage daughter being seen for mental health treatment at your west clinic
and his wife comes in regularly to your clinic (shes probably a
hypochondriac) but youre not usually the nurse for these visits. Youre very
interested in tracking whats going on with mom and daughter, not because
you want to do anything with the information, youre just plain curious. You
have a routine now to look at their medical records every Tuesday at noon
when your supervisor is in a meeting. Is this a good idea?

Consider This: What if you are actually the nurse taking vital signs when his wife
comes in so you have a legitimate right to access her record. Except youre
looking at it any time you wantyoull never get caught since you do have a
legitimate right to access.

Copyright HIPAA COW 151

 I Have a Right to Know!

Mr. Albertson is on the phone. He states his wife was in the

clinic yesterday for lab testing and he wants you to tell him
the results of the urinalysis immediately. You explain that
his wife has individual privacy rights and such information
can be disclosed only to her. You suggest he talk directly to
her. He is very angry! I have a right to know since I pay
the bills. Im going to report you for a HIPAA violation.
Should you cave and tell him?

Consider This: Upon review of Mrs. Albertsons record, you see a signed authorization permitting the
clinic to exchange PHI with Mr. Albertson regarding her care and treatment. Does this change your
response?

Copyright HIPAA COW 152

 No Harm No Foul?
The OB Department is crazy busy this morning. As a nurse youre running from
one crisis to another. Around 11:00 am you finally get a breather and leave for a
cup of coffee. While youre usually diligent about securing your computer when
you walk away, this time you were so distracted you forgot. Your computer is
logged on to two patient records, one of whom is the wife of the hospital
administrator who had a miscarriage. When you return from break, a receptionist
is sitting at your desk intently reading the screen.
Will you confront her?
Self-report the incident to the Privacy Officer?
Ignore her and walk away until she leaves.
Make a deal with her, you wont tell if she doesnt

Consider This: Who is subject to disciplinary action in this case? You? The receptionist or both of you?

Copyright HIPAA COW 153

 How Much is Too Much?
You are a coder at ABC Memorial Hospital. Youre reviewing a
complex case for documentation to support a higher level of
service. Its a priority as part of the Coding Team to ethically
make this determination and a commitment you take seriously.
Youre going to have to conduct a detailed review of the
medical record. This is time consuming and it becomes
evident that youre seeing a lot of confidential information
unnecessary for the proper code assignment. Have you violated
the minimum necessary policy?

Consider This: The patient is also an employee at the hospital, someone with whom youve had a
few disagreements and about whom you have engaged in gossip. You know better than to share this
information with anyone but a week later she confronts you about a work problem and you
accidentally say Too bad, you probably just forgot to take your Prozac this morning.

Copyright HIPAA COW 154

 Cool Stuff to Personalize My Computer
Are These Good Ideas?
That screen saver with the bubbles? I love it and I
want it!

Maroon 5s newest song is amazing---I could

listen to it all day long!

Im a gamer addicted to Wild Robots of the World

V2. Theres no reason I cant load it onto my work
computer so I can play during breaks and lunch.

My sisters wedding last weekend was just gorgeous and the pictures prove it. I was able
to load all the pictures from the ceremony and the reception on my work computer.
Ones even my home screen. So, my computer crashed when I was loading them. I
booted and now they seem just fine.

Consider This: I spend most of my life sitting in front of this computer. The least they can do is let
me do stuff to enjoy it!

Copyright HIPAA COW 155

 We Must Respect Each Others Jobs
As your employer, we appreciate that you want to personalize your workstation. We value your
individuality. Its one of the things that makes you a great employee!
You can feel free to bring framed pictures of your family and friends, posters and desk
items to create a pleasant work environment.

However, your computer is a different story

Loading music, screen savers, game and photos can slow down our systems, including the effectiveness and
quality of medical records and financial data
Unapproved tools such as software, downloads, CDs, or flash drives may damage or increase likelihood of
unauthorized events such as hacking, viruses and Trojan Horses
Just as you dont want another department to come into your office and start changing things around, the
Information Services Department doesnt want you to compromise the things they do to keep electronic
systems effective and safe
Organizational policy is clear. You may not add such tools without written permission from the Information
Services Department

Copyright HIPAA COW 156

 How Do Privacy Violations Happen?
Assuming the auto lock would activate soon, the nurse did not lock
her computer when she left the patient in an exam room. While
waiting, the patient got bored with the old magazines in the room
and looked at her electronic record. Not only did the patient see
her prescription for Prozac and diagnosis of depression, but she
also read her psychotherapy notes.
Discussion points:
What is [Organization Name]s policy on locking computers?
Why are psychotherapy notes included in this patients EMR?
What is [Organization Name]s policy on workforce members accessing
sensitive information?
What is [Organization Name]s policy for patients to request copies of their
records?

Copyright HIPAA COW 157

 How Do Privacy Violations Happen?
Katie, a billing department employee, saw her sons girlfriend,
Allison, in the hospital. Katie was concerned that Allison was ok so
she looked at Allisons medical record. Katie was upset when she
saw that Allison was diagnosed with a heart murmur. Katie texted
her son this information. When Katie got home, she learned that
Allison read Katies text message and had already called the
hospital to file a privacy complaint.
Discussion points:
Does it matter that Katie meant well?
What is [Organization Name]s policy for accessing medical records?
What is [Organization Name]s policy for role-based access control?
What is [Organization Name]s policy for snooping discipline?

Copyright HIPAA COW 158

Calling All Privacy & Security Professionals!
Some Facts:
Emerging electronic technology impacting privacy and security is
a reality
Its getter smarter and smarter & faster and faster
Its not just desktops and laptopstoday we have tablets, iPads,
iPhones, Androids, remote monitoring of health conditions, HIEs,
eVisits, Work-at-Home, Apps, GPS, and cameras recording us
shopping, driving, walking, banking, and grocery shopping

Privacy & Security Professionals Must Keep the Pace:

Stay tuned in, ensure understanding and be heard!
Anticipate how privacy and security protections must
change to accommodate technology
How will audit trails work?

Copyright HIPAA COW 159

 HIPAA COW
Privacy and Security Networking Groups

We are pleased to provide our peers and colleagues with this training module.
We hope you find it useful as you develop your organizations privacy training.

Refer to the HIPAA COW website for additional

privacy, security, and EDI reference materials
http://hipaacow.org/home/home.aspx

Copyright HIPAA COW 160

Version History
Current Version: 4/8/15
Prepared by: Reviewed by: Content Changed:
Primary Author: HIPAA COW Privacy & This document was
Barbara J. Zabawa, JD, MPH, Security Networking updated to reflect changes
The Center for Health Law Groups required by the HITECH
Equity, LLC Act from 2009 and the
Contributing Authors: subsequent rules that
Karin Butikofer, Athletico went into effect in 2013,
Physical Therapy as well as to reorganize
Julie Coleman, Group Health and refresh the slides.
Cooperative of South Central
Wisconsin
Chris Duprey, Caris
Innovation
Cathy Hansen, RHIA,
Director, Health Information
Services & Privacy Officer,
St. Croix Regional Medical
Center
Teresa Hernandez, HSHS
Mary Koehler, IT Security
Regulatory Coordinator,
ProHealth Care Information
Technology
Meghan OConnor, von
Briesen & Roper, S.C.
Kathy Schleis, Bellin Health
System

Copyright HIPAA COW 161

Version History (Contd.)
Original Version: 3/31/09
Prepared by: Reviewed by:
Primary Author: HIPAA COW Privacy &
Holly Schlenvogt, MSH, ProHealth Care Medical Security Networking
Associates, Privacy Officer Groups
Contributing Authors:
Cami Beaulieu, Red Cedar Medical Center, ROI
Supervisor and Privacy Assistant
Jane Duerst Reid, RHIA, Clear Medical Solutions,
HIM Consultant
Linda Huenink, MS, RHIA, Wk Co. Dept. of Health &
Human Services, Records Supervisor
Carla Jones, Senior Staff Attorney/Privacy Officer,
Marshfield Clinic Legal Service
Kathy Johnson, Privacy & Compliance Officer,
Wisconsin Dept. of Health Services
Melissa Meier, ProHealth Care Medical Associates,
Corporate Compliance Coordinator
Kim Pemble, Executive Director, WI Health
Information Exchange (WHIE)
LaVonne Smith, Information Services Director,
Tomah Memorial Hospital

Copyright HIPAA COW 162