Protecting Patient Information (HIPAA) Training Through this training

Protecting Patient Information (HIPAA) Training Through this training you will learn to how to identify and protect patients' protected health information, gain access to helpful resources and assist UW Medicine in ensuring our patient's rights and reducing organizational risk. This training is intended for the use of UW Medicine workforce members. The training may not be copied, reproduced, republished, modified, uploaded, posted, distributed, or transmitted in any form or by any means without written permission from UW Medicine. Version 20180904 1 Goal of this Training To provide information and resources that help you safeguard patients protected health information (PHI) PHI is everywhere at UW Medicine 2 Protected Health Information PHI We are required by law to protect our patients Protected Health Information or PHI. PHI is verbal, written or electronic information relating to a patients

past, present, or future physical or mental health including care or condition. Our obligation to protect PHI remains even if the patient is deceased. You must remove all 18 identifiers to de-identify PHI. Generally, these identifiers may not be shared without a job related reason. 1. Names 10. Account numbers 2. Geographic identifiers 11. Certificate or license numbers 3. Dates 12. Vehicle identifiers including license plates 4. Phone Numbers 13. Device identifiers

and serial numbers 5. Fax numbers 14. URLs 6. Email addresses 15. IP addresses 7. Social Security numbers 16. Biometric identifiers 8. Medical record numbers 17. Face photographic images 9. Health plan beneficiary numbers 18. Any other unique identifier 3 Treatment, Payment, Healthcare Operations

Examples include: Treatment: the provision, coordination, or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another. Payment: all activities undertaken by UW Medicine to obtain reimbursement for treatment provided. Healthcare Operations: certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. When disclosing PHI: Except for treatment purposes: use the MINIMUM amount of PHI necessary to accomplish the intended purpose. 4

Authorizations An authorization is a written document that gives permission to use and disclose PHI. Authorizations are required for uses and disclosures not otherwise permitted or required by law. May be required for release of PHI for: Employment Photography Media Use A valid authorization must be written in plain language and contain required elements. Contact your entitys Health Information Management

department for the appropriate form. 5 Breaches Follow all UW Medicine privacy policies and procedures to help avoid a breach of our patients PHI. A breach is the acquisition, access, use or disclosure of PHI that is: Not for treatment, payment or healthcare operations Not authorized by the patient Not otherwise allowed by law; and Compromises the security or privacy of the PHI Breach examples may include: PHI sent to the wrong location via fax, mail, etc.

Unencrypted, lost or stolen devices containing PHI Improper disposal of documents containing PHI Accessing or sharing PHI outside of job duties PHI handed to the wrong patient or person UW Medicine is obligated to notify patients of a breach of their PHI. 6 Breaches Consequences of a breach are both institutional and personal and include: Loss of Trust Reputational Damage

Investigations Fines, Sanctions and Imprisonment Re-Training Loss of Privacy for the Patient When a breach occurs, UW Medicine may be required to notify the: Individual Patient US Department of Health & Human Services Office for Civil Rights IfUW youMedicine suspectisa obligated to notify patients of a breach of their

PHI. breach, notify UW Medicine Compliance. 7 PHI for Research PHI may be used or disclosed for research purposes when UW Medicine agrees to the disclosure and when one of the four following conditions is met: Approval from the IRB* with authorization of the patient Limited Data Set is PHI where these 16 identifiers must be removed from the patients health information. 1. Names 2. Postal address information, other than town or city, State, and zip code 3. Telephone numbers Permission from the IRB* to use and disclose a subjects PHI without obtaining their

authorization (Waiver of Authorization) 4. Fax numbers The PHI has been de-identified by an approved method 7. Medical record numbers When the PHI is part of a limited data set and an authorization for use and disclosure of the data is in place (Data Use Agreement) UW Medicine will disclose only the minimum amount of PHI necessary to accomplish the purpose of a given request for the use and disclosure of patient information for research. *The Institutional Review Board (IRB) is a committee established to protect the rights and welfare of human subjects by reviewing and approving applications for research projects.* 5. Electronic mail addresses 6. Social security numbers 8. Health plan beneficiary numbers 9. Account numbers 10.Certificate or license numbers

11.Vehicle identifiers and serial numbers, including license plate numbers 12.Device identifiers and serial numbers 13.Web Universal Resource Locators (URLs) 14.Internet Protocol (IP) address numbers 15.Biometric identifiers, including finger and voice prints 16.Full face photographic images and any comparable images 8 Compliance is EVERYONEs Responsibility Your Role: Responsible for understanding and adhering to relevant policies and procedures, participating in required training, fulfilling recordkeeping requirements, reporting compliance concerns, seeking clarification when questions arise, and responding in a timely manner to requests for information associated with internal audits or investigations. Supervisor Role: Responsible to communicate compliance and operational expectations, ensure that appropriate training is taken, implement and enforce policies, and monitor compliance. Senior Leadership Role: Responsible for participating in the development and implementation of UW Medicine-wide systems. They are entity champions supporting

successful implementation and sustenance of compliance and related operational programs within their specific areas of oversight. Compliance Role: Monitor developments in the regulatory environment, establish entity-specific policies and standards, work closely with operational departments to develop internal controls, receive and investigate allegations of noncompliance, develop and implement effective auditing programs, and provide compliance training. UW Medicine Board Compliance Committee Role: Advisory responsibilities including strategic planning, advocacy and support for compliance efforts, risk assessment and analysis of compliance issues. Additional committees within UW Medicine provide mechanisms for engaging administrative, clinical and operational leaders in compliance initiatives. If you see something that doesnt look right or could be a potential compliance problem, contact UW Medicine 9 Safeguarding PHI Requirement: Safeguard PHI in all of its forms This means you must use reasonable methods to prevent improper uses and disclosures of PHI. In order to protect PHI in all forms (verbal, paper, electronic), think about: Where you are

Who might overhear Who might see Your patients privacy Avoid: Discussing PHI in front of others who do not need to know Leaving PHI unattended, or otherwise accessible to patients and others who do need to see it Positioning monitors where others can view them Printing to devices located in public or unsecured areas

10 Safeguarding PHI For storage and disposal of documents with PHI, think about the following: Keeping track of documents containing PHI Disposing of PHI in Shred-It containers and not in trash or recycle bins Securing documents when they are not in use Deleting all electronic PHI when no longer required for your job Locking cabinets when not in use Good computer and electronic document practices are key to safeguarding PHI.

Use a secure network server If this is not possible, do not save files containing PHI to desktop computers unless both the computer and the files are encrypted Use a privacy screen on your computer monitor Lock (CTRL-ALT-DELETE) your workstation or log out of your computer session when not in use 11 Transporting Confidential Information Safely Keep paper and devices containing PHI with you at all times (note that mobile devices must be encrypted). Place paper documents containing PHI behind a locked barrier when not in use Lock your office when you are away from it Lock your cubicle overhead bins, filing cabinets, etc.

Do not leave paper and devices locked in your car. 12 Passwords Your password provides a line of defense against unauthorized access. The stronger your password, the greater protection it offers. Change passwords often at least every 120 days Do not store passwords on sticky notes, an Outlook Calendar, or other unprotected means such as Word or Excel Best practice is to use a password manager program. A password manager is a software application that stores and organizes passwords. Passwords are usually encrypted, requiring the user to create a master password (a very strong password that grants you access to your entire password database).

13 Mobile Devices Mobile devices pose a risk to PHI. If you use a mobile device for work, it contains PHI. Mobile devices must be encrypted. Never assume mobile devices are encrypted out-of-the-box. Encryption protects the data storage units inside devices and renders them unreadable. Encryption is not the same as password protection. You need both. Password protection AND encryption greatly reduce the likelihood of a breach of PHI in the event of loss or theft. 14 Mobile Devices Follow the manufacturer instructions as well as your entitys specific process. Contact IT Support for assistance with device encryption. Follow mobile security guidelines for Android* and iPhone*. Most mobile devices are enabled with find and wipe applications that allow you to remove data if lost or stolen. Follow the manufacturers guidance to enable.

*For workforce members with UW NetID only: VMC workforce members, please contact IT Support at x6200 or [email protected]* 15 Remote Computing For Remote Computing use: Remote access programs (e.g., SSL VPN, extranet) when working offsite. This keeps information on secure networks and off your mobile or remote device. Web-based email tool to access your email when working remotely. This keeps your email on the server, not on your device. Configure your email (Outlook) to not cache locally. Cache is the storage of data that makes future requests for the same data more efficient. Contact IT Support for guidance. 16 Malicious Software and Phishing

Malicious software mimics legitimate activity in order to perform harmful actions on your computing device. UW Medicine is a data rich environment. As a result, we are a target for actions by those trying to maliciously access our data Phishing is password harvesting and is an attempt to trick you into providing your password or other credentials. Clicking on links in email or on the web puts PHI at risk of inappropriate access or corruption 17 Protect Yourself Against Malicious Software and Phishing: Email Assume unexpected and unknown email is an attack Only open email and attachments from known sources Verify unexpected links and attachments with sender and/or IT

Support Forward suspicious email to [email protected] Fully delete email from inbox and sent-mail Report warning message from your antivirus software to IT Support Email containing PHI must be encrypted when sent to an unapproved domain. Contact IT Support for assistance with the following: Sending an email outside of the approved domain list Instructions on how to send an encrypted email 18 Protect Yourself Against Malicious Software and Phishing: Email

19 Protect Yourself Against Malicious Software and Phishing: Web Avoid using work computer for personal use Avoid web pages with misspellings in the web addresses and site names Roll cursor over website links to see where they are actually going Be wary of websites that promote schemes involving recruiting others or receiving or giving money Comply with browser alert messages when they detect an unsafe site Do not click on unknown links or pop-up windows 20

Disposal of Electronic PHI and Devices Containing PHI Remove data prior to disposal, recycling, or reassignment of electronic devices (e.g., fax machine, biomedical device, desktop computer, or mobile device) Empty your electronic trash bin regularly Deleted files and emails may still exist on your device until you empty the trash bin Contact IT Support for assistance with above practices. 21 Protect Yourself Against Malicious Software and Phishing: General Advice Never provide your password, no one within UW Medicine will ever ask for it

If you receive a call from someone alleging to be IT, hang up and call IT to determine legitimacy 22 Social Media Social media includes websites and applications that enable users to create and share content or participate in networking. Online examples: Blogs Bulletin boards Social networking sites News media sites

Photo and video sharing sites UW Medicine policy prohibits the use of social media in clinical settings. PHI does not belong on blogs or social sites under any circumstances. 23 Incident Reporting Resources If your computer or mobile device is infected, or you think it may be infected, contact IT Security immediately Report information security incidents when they occur. Contact IT Services Help Desk at [email protected] If it is urgent call 206-543-7012, for Valley IT Services call 425-228-3440 (x6200) Report the loss or theft of PHI to UW Medicine Compliance at 206543-3098 or [email protected] immediately IT Security Resources: UW Medicine Information Security Program Northwest Hospital ITS http://nwh/sites/operations/ims/SitePages/Home.aspx

Valley Medical Center ITS 24 Permitted Uses and Disclosures You may use or disclose PHI without authorization in the following situations: With the patient For Treatment, Payment, and Healthcare Operations (TPO) With the exception of TPO, you must account for all disclosures made without patient authorization. Contact Compliance to learn how to make an accounting of disclosure entry. Use is the sharing, application, utilization, examination or analysis of PHI within UW Medicine. Disclose is the release, transfer, access to, or sharing of PHI outside UW

Medicine. For Public Policy Purposes include disclosures: A. As required by law B. About victims of abuse, neglect or domestic violence C. For health oversight activities D. For judicial and administrative proceedings E. For research F. To avert a serious threat to health and safety

G. For workers compensation 25 Opportunity to Agree or Disagree A patient must be given the opportunity to agree or disagree to the following uses and disclosures: Exclusion from the Facility Directory Providing proof of immunization to schools Interaction with law enforcement (photography and evidence gathering) Except when in custody Sharing PHI with family, friends and other designated individuals involved in their care

Unless the patient objects: You may disclose their PHI to relatives or other people involved in the patients care or payment related to patients healthcare. If a patient is unable to agree or disagree, you may disclose, if based on your professional judgement, it is in the best interest of the patient. 26 Requires A Signed Patient Authorization A valid authorization is required for use and disclosure of PHI except for the purposes of treatment, payment and healthcare operations or when allowed or required by law. Do not disclose PHI of heightened confidentiality unless written authorization explicitly allows it, examples may include: Records relating to testing or treatment for STD testing or treatment and reproductive health

Behavioral or mental health treatment records Substance abuse treatment records 27 Patient Rights Overview Patients have the right to: Receive a Notice Of Privacy Practices Access, Inspect, and Copy their PHI Request Amendments to their PHI Request Alternate Communication Seek Disclosure Restrictions of their PHI Restrict Disclosures to Health Plan for Self-Pay

An Accounting of Disclosures of their PHI Make a Privacy Complaint 28 Notice of Privacy Practices UW Medicine must provide patients with the Notice of Privacy Practices (NoPP) that explains: How UW Medicine protects patients privacy and how it will use and disclose their PHI How patients can get assistance and information about their privacy rights How patients can file a privacy complaint How to contact UW Medicine Compliance

Check with your supervisor if your role requires you to provide the NoPP to patients. 29 Access, Inspect, and Copy PHI With few exceptions, patients have the right to: Access, inspect and receive a copy of their own PHI If you receive a request, direct the patient to contact your HIM Department for assistance. 30 Amendments to PHI Patients have the right to request an amendment to their PHI. Entity HIM departments facilitate PHI amendments UW Medicine must respond to the requests within 10 days upon receipt UW Medicine may deny the request when the:

Healthcare provider determines the PHI is accurate and complete; or PHI was not created by UW Medicine Patients have the right to disagree with UW Medicines denial and may submit a written disagreement letter to the HIM Department. UW Medicine may rebut the patients disagreement letter in writing. When releasing the patients records, UW Medicine must include all documents created in response to the Patients initial amendment request. 31 Alternative or Confidential Communications Patients have the right to request alternative communications, examples include: Verbal versus written communications Written versus verbal communications Electronic versus paper

Fax versus postal mail Postal mail directed to an alternate address Phone calls directed to an alternate phone number This is called the patients right to alternative or confidential communication. HIM departments will determine if UW Medicine is able to comply with confidential communication requests and communicate with the patient. 32 Disclosure Restrictions Patients have the right to request restrictions on uses and disclosures of their PHI. For example, patients may request that UW Medicine does not: Share their PHI with previous providers or certain family members

Bill their insurance when the patient selects to pay for the services received out of pocket Direct patient requests for restrictions to your HIM department. 33 Accounting of Disclosures Patients have the right to receive a report of instances when their PHI was disclosed outside of: Treatment, Payment, or Operations (TPO) Authorized releases Limited Data Set uses This is called an Accounting of Disclosures Contact UW Medicine Compliance with an accounting of disclosures request. 34 Make a Privacy Complaint

Patients have the right to file a complaint regarding the privacy of their PHI through: Mail Phone Fax Email Contact UW Medicine Compliance with patient complaint questions. 35 UW Medicine Compliance Resources Contact UW Medicine Compliance: Website

Direct Phone 206.543.3098 or 1.855.211.6193 Anonymous Hotline - 206.616.5248 or 1.866.964.7744) Email - [email protected] 36 UW Medicine Protecting Patient Information Self Study Signature Page Date: I, certify that I have completed the Protecting Patient Information Self Study on the confidentiality of patient health information (PHI), specifically the privacy regulations adopted pursuant to federal Privacy and Information Security regulations (45 CFR Parts 160 and 164 (HIPAA)). I understand that I must maintain the confidentiality of individual healthcare information and agree to comply with UW Medicine Compliance policies and procedures located at Signature:

_____ Print Name: _____ Name of Manager: _____ Department: _____ Please complete this form and provide the original to your manager. Send a copy to UW Medicine Compliance (mail to: Box 358049, email to: [email protected], or fax to: 206.221.5172) to receive credit for completing your required HIPAA training. Manager: Documentation to be maintained in workforce member department record and by UW Medicine Compliance. File original in departmental personnel file. 37

Recently Viewed Presentations

  • BTEC Business Level 3 - iTeach

    BTEC Business Level 3 - iTeach

    P6 -M3: P6- You will need to write an article about your a new product and the strategy that will be used for your new product. Make sure you have followed the correct layout for an article. Choose a new...
  • Ethics & Values - MCCC

    Ethics & Values - MCCC

    Arial Arial Black Calibri Times NRS 101 Ethics and Valus 1_NRS 101 Ethics and Valus Ethics & Values About Ethics Values Values Professional Values Clarifying Client Values Slide 7 Principles of Ethical Decision Making Nursing Codes of Ethics Models of...
  • 2019 Pavement Workshop May 21-23, 2019 Environmental Impacts

    2019 Pavement Workshop May 21-23, 2019 Environmental Impacts

    GRAMS proposes to develop a user-friendly, systemic, risk-based evaluation tool to. Allow county engineers to better-Tell the Story of Iowa low-vol roads to the public and elected officials.-Perform meaningful Technical analysis, Based on objective criteria that supports tried and true...
  • Name ________________________________________ Date ____________________ Period _________ MR. SYRACUSES

    Name ________________________________________ Date ____________________ Period _________ MR. SYRACUSES

    At least three pockets are desirable: Two on the front, and one on the left chest. Some coats have internal pockets, which are also fun. A polyester and cotton blend is desirable, as it wears well and resists staining more...
  • School Presentation

    School Presentation

    The children then begin their writing and are given regular opportunities to ensure their work is covering the regular VCOP. How do we start? We start with a stimulus, and this might be: A book (fiction or non-fiction) Poem ....
  • Ch. 6 Canada In the Post-War World: 1950's

    Ch. 6 Canada In the Post-War World: 1950's

    One of the most visible symbols of rising Quebec nationalism was the introduction of a new flag. Old New. The Challenge. List as many events as you can that effected or represented changes in Canadian Autonomy from 1945-60. ... the...
  • Windows Server 2016 L100 Presentation -

    Windows Server 2016 L100 Presentation -

    Windows Server 2016. Sue Hartford and Vinicius Apolinario. September 19, 2016. Today, we are going to talk about Windows Server 2016. This release of the OS is dramatically different from prior releases, as it goes well beyond server virtualization, because...
  • New Special Education Teacher Webinar Series February 2017

    New Special Education Teacher Webinar Series February 2017

    MIDAS- Mississippi IEP Data and Accountability System. Did You Know? ... Kimmie is able to apply phonics and word analysis skills in decoding words when given a fourth-grade passage by reading 72 cwpm, when a typical fourth-grade student is able...