Summary of HIPAA Staff Training 2020

Summary of "HIPAA Staff Training 2020"

This training video, presented by Michael McCoy, aims to help healthcare organizations build a culture of HIPAA compliance by explaining key concepts, rules, and best practices related to protecting patient privacy and securing Protected Health Information (PHI). The content is based on guidance from the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), and other government bodies.

---

Main Ideas and Concepts

1. Introduction to HIPAA and Key Terms

• HIPAA is a federal law enforced primarily by HHS OCR and sometimes state attorneys general.
• Important acronyms: HHS (Health and Human Services), CMS (Centers for Medicare and Medicaid Services), OCR (Office for Civil Rights).
• Malware includes viruses, ransomware, Trojans, etc., which threaten data security.
• Meaningful Use, MIPS, and Promoting Interoperability require security risk assessments.
• Willful neglect is a serious violation involving intentional or reckless disregard of HIPAA obligations.

2. Protected Health Information (PHI)

• PHI includes any identifiable health information (oral, written, electronic) linked to payment, treatment, or healthcare operations.
• Identifiers include names, addresses, social security numbers, license plates, and even coded identifiers.
• Electronic PHI (ePHI) refers to PHI stored digitally.
• Sensitive PHI (sPHI) includes information that could cause harm or embarrassment (e.g., HIV status, pregnancy of a minor, STD status) and requires extra protection.

3. Minimum Necessary Standard

• Only the minimum amount of PHI needed to perform a task should be accessed or disclosed.
• Exceptions include disclosures to other providers for treatment, disclosures to the patient, or disclosures to HHS OCR.
• Staff must not access family or friends’ records without proper authorization.
• Violations can lead to sanctions including termination.

4. Documentation and Breach Management

• Documentation is critical for HIPAA compliance.
• A breach is any impermissible use or disclosure of PHI.
• Common breaches include misdirected faxes, sharing records with the wrong patient, employee snooping, and improper disposal of paper records.
• Breach Risk Assessment involves answering four key questions:
  1. Nature and extent of PHI involved.
  2. Who saw the information.
  3. Whether the PHI was acquired or viewed.
  4. Actions taken to mitigate risk.
• All breaches, no matter how small, must be documented and reported.

5. Incidental Disclosures and Safeguards

• Incidental disclosures (e.g., overheard conversations) are permitted if reasonable safeguards and minimum necessary standards are followed.
• Examples of safeguards: clean desk policy, logging off computers (Ctrl+L), securing monitors.

6. Patient Privacy Rights Under HIPAA

• Patients have rights including:
  • Right to access and obtain copies of their entire designated record set.
  • Right to request amendments to their records.
  • Right to confidential communications.
  • Right to an accounting of disclosures.
  • Right to restrict disclosures, especially to health plans if paying out of pocket.
• The HIPAA Right of Access Initiative enforces timely access (within 30 days), reasonable fees (actual cost, flat fee up to $6.50, or average cost), and delivery in the requested format (including email with patient acknowledgment of risks).
• Practices must not impose unreasonable barriers (e.g., requiring patient portal use).
• Authorization forms for release of records must contain nine legal elements, including expiration dates.
• Disclosure to other providers for treatment generally does not require patient authorization.

7. Communication with Family and Friends

• HIPAA allows sharing PHI with family/friends involved in patient care unless the patient objects.
• Implicit approval is given if a patient brings someone into the treatment room.
• If a patient is incapacitated, information can be shared with caregivers until the patient regains capacity.

8. Appointment Reminders and Confidential Communications

• Providers may contact patients with appointment reminders or test results without authorization, using minimum necessary information.
• Patients can request confidential communication methods (e.g., alternative addresses or phone numbers).

9. Healthcare Cybersecurity and Security Rule

• Cybersecurity is critical due to constant cyber threats targeting healthcare.
• Security Rule requirements include:
  • Automatic logoff after inactivity.
  • Complex passwords and limited access based on job function.
  • Regular audits of access to medical records.
  • Workforce clearance procedures.
• Cyber threats include ransomware, phishing, malware, social engineering, and identity theft.
• Staff must be vigilant against social engineering tactics such as authority impersonation, urgency, reciprocation, and clickbait.
• Email security: verify sender, beware of suspicious links or attachments, and report suspicious emails.
• Passwords should be complex, changed every 90 days.

Category

Educational

Video