Missouri State University
HIPAA Privacy and Security Training

Text Only Version

Missouri State HIPAA Privacy and Security Training

Welcome to HIPAA training where we will be learning about the Health Insurance Portability and Accountability Act of 1996 and how this law affects you as a member of the Missouri State University workforce. Today’s session is about 60 minutes in length consisting of a PowerPoint presentation and links to several supporting documents and sites.

Confidentiality is not a new concept. But now, the federal HIPAA or Health Insurance Portability and Accountability Act of 1996’s Privacy Rule requires additional training and policy.

So, today we want to take what we already know and do to ensure confidentiality, and highlight where HIPAA expands and strengthens our current practices, as well as strengthens consumer rights to have their health information protected by us.

Likewise, we want to provide you with enough tools to protect the University, its Units, and yourself against being liable for improperly using or disclosing any protected health information.

After this training, you will have privacy questions that come up on a daily basis – please ask your University and Health Care Component Privacy Officer for the answers!  He or she is your first line of response to any questions you may have. A list of those Privacy Officers is available on the website where you accessed this training program.

 

Goals of Training

The five goals for this sessions are:

  • Increase your knowledge & understanding of what is protected health information (PHI) and how to maintain its privacy and security
  • Enhance awareness of your role in assisting the University and its Units in following HIPAA rules
  • Provide contact information on who can answer questions about privacy, and about security
  • Inform the workforce about their reporting responsibilities for HIPAA violations and the possible penalties for violation of HIPAA law for both you and the University.
  • Protect the confidentiality of PHI for our faculty, staff, and students by following the University’s guidelines and procedures.

I also want to point out that not only will the information you learn today help you here in your job, but it will also help you become an informed consumer of health care services.

 

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and is composed of three components: Insurance portability, fraud enforcement, and administrative simplification. You may remember hearing about HIPAA in connection with “portability” or people “taking” their health insurance with them when they change employment from one organization to another.

This session will focus on the fraud enforcement or accountability part of HIPAA. Discuss the responsibilities of those agencies who hold PHI (protected health information) and how the information should be protected.

The privacy section of the administrative simplification component is effective April 14, 2003 with security and transactions and code sets coming into affect at a later date.

Why did the need for accountability and administrative simplification come about? The increasing use of the internet, involving the storing and transferring of electronic information, advances in genetic science, and the concern about WHO would have access to WHAT information, and HOW it would be used.

 

What is "Protected Health Information" (PHI)?

Protected Health Information is health information containing data that may be used to directly or indirectly identify a patient. This includes personally identifiable information gathered by a Health Care Component, including non-health related information that is maintained or transmitted in any form or medium. HIPAA protects information that is:

  • Created or received by a covered entity
  • Related to an identified person’s physical or mental health;
  • Health care
  • Payment for health care

 

 

Examples of PHI

This is a list of examples of what is considered to be Protected Health Information.

  • Name/Address
  • Employer
  • Names of Relatives
  • Date Of Birth
  • Social Security Number
  • Telephone number
  • Account number
  • Occupation
  • Diagnosis
  • Treatment services and procedures

 

 

Who is Subject to HIPAA?

Any “covered entity” that maintains or transmits protected health information (PHI) electronically in connection with a “standard transaction” is subject to HIPAA.

 

What is a Covered Entity?

A covered entity is any Health Plan like the University Health Plan, Health Care Clearinghouses, and any Health Care provider such as Taylor Health Center and the Counseling Center. Missouri State University is a called a “Hybrid Entity” because the organization is comprised of several different types of units that may or may not fall under HIPAA.

 

Is Missouri State Itself a Covered Entity?

Missouri State is a covered “Hybrid Entity” because its primary function is not health care but its organizational structure has units that are covered health care components.

 

Missouri State's Responsibility as a Hybrid Entity

Missouri State University has a responsibility to identify the covered Health Care Components, identify those components that act as business associates to covered components, erect firewalls between covered and non-covered components, and ensure their compliance with HIPAA.

 

What is a Business Associate?

Business Associates are agencies outside of the University who we work with that have exposure to PHI. The next slide has examples of Business Associates who the University Health Components interact with on a consistent basis.

 

Examples of Business Associates

The following are examples of Business Associates.

  • Health Insurance companies and middlemen
  • Claims Payers (MEDPAY)
  • IT providers having access to Missouri State medical databases
  • Accreditation organizations
  • Research Centers, Accountants, Auditors, and Actuaries
  • Consultants
  • Document Storage and Destruction or Conversion Business Entities

 

 

Contract with Business Associate Must...

The University has the responsibility to establish policies and procedures to protect and secure PHI when interacting with these business associates. The contracts with these Business Associates must include the elements listed on the slide to provide safeguards for PHI. See Missouri State HIPAA Procedure 1.160 and 1.160 Form 1 for more information and an example of a Business Associate Contract.

 

Privacy: Why is it Important?

This session is focused on the privacy of Personal Health Information. There are elements of security that will overlap with privacy so we will also address these in our presentation.

The Privacy Rule requires that we train and inform all faculty, staff, and students of our institution who have access to Protected Health Information and are part of the Health Care Components.

New employees will receive information on HIPAA at their new employee orientation. Missouri State Health Care Component employees will be required to complete this online course along with their Health Care Component level training within the first 30 days of their hire date. Please refer to Missouri State HIPAA Procedure 1.090 for detailed information.

There are specific civil and criminal penalties applied to individuals and organizations for violating HIPAA, so it is important for any faculty, staff, or student who has access to PHI be informed of their responsibilities.

Beyond the potential civil and criminal penalties, protecting the health care information of consumers is the right thing to do, and that alone should drive our privacy efforts as an institution.

 

HIPAA Enforcement

The law provides for both Civil and Criminal Penalties to support enforcement of HIPAA and the protection of PHI. Lets first talk about Civil Penalties.

Civil penalties can accrue to the person who wrongfully discloses the PHI.

What are potential penalties? (Read through slide).

Individual University Health Components staff can be charged for wrongfully disclosing or sharing PHI. That is why it is important to ask the University or Health Component Privacy Officer if you have any questions or are unsure on how to handle a situation.

You should also report all potential violations and complaints to your Health Component Privacy Officer.

 

HIPAA Enforcement

As we have already discussed, HIPAA Privacy also has potential for criminal penalties.

For the criminal penalties, we have to be concerned about the person’s knowledge. Did they know that they were wrong? If so, a criminal investigation could be initiated.

After discussing these civil and criminal penalties, who will investigate and enforce?

The answer is the Federal Office for Civil Rights. A person can file a complaint with that office within 180 days of when the alleged violation occurred. Then, OCR can investigate.

The Federal Office for Civil Rights may refer the complaint to the U.S. Department of Justice, or the U.S. Attorney General’s Office for possible investigation.

Each of you need to take HIPAA very seriously.

 

HIPAA Enforcement

The key point here to remember is that HIPAA Privacy applies to ALL forms of communication – to include oral, paper, and electronic information. For example, if you have a conversation with another staff member about a health care recipient and during that conversation you share PHI, there are several things you need to consider: is the location where you are talking public or private, could it be overhead by someone else, and does that other staff member need to know that information. We will need to be more conscientious in protecting the privacy of PHI during the conduct of our day to day responsibilities.

HIPAA also applies to you as a consumer of health care.

 

HIPAA Requires Missouri State to...

HIPAA requires us to designate a Privacy and Security Officer for the University and a Privacy Officer for each Health Care Component.

We have also established policies and procedures for faculty, staff, and students for the protection of PHI. Any person found to have violated the requirements of these policies and procedures shall be subject to progressive disciplinary action up to and including dismissal.

 

HIPAA Requires Missouri State to...

Individually identifiable health information is: information that relates to the health or condition of a consumer, the provision of health care, or the payment of healthcare items or services. It is information created by or received by a provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse.

The individually identifiable health information either specifically identifies the person or you can determine who it is based on the information.

How many people ask you for PHI? Where do you send them? Where will you send them in the future? Answer: The Privacy Officer!

All of our Health Care Components, whether you provide direct treatment or not, do come into contact with PHI on a daily basis – so everyone is under the same requirements for protecting the confidentiality of PHI.

 

Where do we find PHI?

PHI is located throughout a variety of documents which are utilized by our Health Care Components in the conduct of their daily responsibilities. The information on these documents fall under HIPAA as Protected Health Information.

 

How Can You Safeguard PHI?

The following is a simple list of practices that can help you safeguard PHI while doing your job.

Those of you who work with PHI all the time, think about how you handle the information, and then think about ways you can improve the protection of PHI. Do you need to think about putting files away in desk drawers or in overhead bins? Or, if you sit in a nonpublic area, turn them over on your desk?

Most of these suggestions are simply common sense.

 

How Does "Need to Know" Translate into HIPAA?

Under HIPAA, you will now need to make a determination of what information needs to be sent in response to whatever question they are asking or issue they are raising. You can no longer release a whole record or information to someone because they have requested it.

In HIPAA this concept is known as “minimum necessary”.

Missouri State HIPAA Procedure 1.150 details the "Minimum Necessary Standard” that we need to follow.

 

HIPAA Regulations for Missouri State

We will now review the University’s policies and procedures for HIPAA.

It is important to remember there are penalties for failure to follow the policies and procedures that have been outlined for the University Health Care Components to follow.

Our University Privacy Officer is also responsible for monitoring whether or not we are following our policies and procedures.

 

Missouri State HIPAA Procedures

Here are some of the Missouri State HIPAA Policies and Procedures that you will need to become familiar with during this training and will need to comply with in the conduct of your job. Please refer to the Missouri State HIPAA website for a complete listing and detailed information on all the Missouri State HIPAA Procedures for our Health Care Components.

  • Notice of Privacy Practices (1.005, Form 1,2, & 3)
  • Amendment/Correction Request Form of PHI (1.010 & Form 1)
  • Restriction Request Form (1.020 & Form 1)
  • Access (1.030 & From 1)
  • Confidentiality Agreement to PHI (1.040 & From 1)
  • Authorization to Disclose (1.050 & From 1)
  • Accounting of Disclosures (1.060 & From 1)
  • Verification (1.070)
  • Ensuring Confidentiality of Protected Health Information for Missouri State Staff working Away from a Facility Setting (1.080)
  • Mandatory HIPAA Privacy and Security Training (1.090)

Health Care Component Providers' Privacy Policies and Procedures

 

HIPAA Requires...

Notice of Privacy Practices (NPP) is a new requirement.

Its purpose is to provide an individual with adequate notice of uses or disclosures of PHI by the Health Care Component. The notice must be written in plain language and be provided at the time of first service or assessment for eligibility of service. The notice also needs to include the Privacy Officer’s contact information.

We need to make a good faith attempt to have the individual acknowledge this Notice and document it in the medical record.

Notice of Privacy Practices are available at Health Care Component locations.

Notice of Privacy Practices are also posted on this website. All Missouri State Health Care Components use the same notice except for the Employee Benefit Plan Health Care Component in the Office of Human Resources. Information for their NPP is posted separately on the site under the Employee Benefit Plan Health Care Component section under the Procedure titled Distribution of Privacy Notice, section 164.520.

 

HIPAA Amendment Correction/Request Form

HIPAA allows individuals to request that a change be made to their PHI as outlined in Missouri State HIPAA Procedure 1.010.

The request must be made in writing to the Privacy Officer on the Form 1 attached to HIPAA Procedure 1.010.

Request can either be granted or denied. Reasons for denial are: if PHI not created by entity; not part of the medical record; not available by access; or is already accurate and complete.

If request is granted provide amended information to those who may have relied on past information to the detriment of the individual.

If denied, advise in writing.

Make sure that you follow specific time frames outlined in the document.

 

HIPAA Consumer Protections

HIPAA allows individuals to request restrictions on the use of their PHI.

Missouri State HIPAA Procedure 1.020 and Form 1 outlines the procedures for requesting restrictions for the use of their PHI.

You must adhere to the restriction if it is accepted.

The Privacy Officer is the contact person for an individual who wants to request a restriction.

 

HIPAA Consumer Protections

Previously individuals have been allowed to have some degree of access to their medical records.  HIPAA formalizes the procedures for accessing the record under Missouri State HIPAA Procedure 1.030 and Form 1.

The individual must submit a request in writing to the Privacy Officer. Once a request is received, the Privacy Officer may seek input from clinicians if there is a question about whether or not it would be safe for the individual to have access to certain pieces of information in their medical record.

 

HIPAA PHI Protections

HIPAA requires that we formalize how our workforce gains access to PHI. By signing this Confidentiality Agreement you agree to follow the policies and procedures outlined by Missouri State HIPAA 1.040 and Form 1 for PHI. Failure to comply with this may lead to disciplinary action, up to, and including termination.

 

HIPAA Disclosure Protections

Missouri State HIPAA Procedure 1.050 and Form 1 outlines the procedures for obtaining authorization by an individual to release PHI. This form is required for the disclosure of PHI to any person or agency outside of the Health Care Component.

There are exceptions when authorization is not needed for disclosing PHI to an outside agency or person. These are covered on the next slide.

 

When No Authorization Is Needed...

Key examples are mandated child abuse/neglect reports.

Information for judicial proceedings when we are directed through a court order to disclose the information.

Law enforcement: there are several examples of sharing with law enforcement. If we are required to report a certain type of injury. We can share with law enforcement if they produce a grand jury subpoena. Or, we can share so that they can identify a suspect, fugitive, missing person, or about an individual who is suspected to be a crime victim.

The serious threat exception means if the PHI is necessary to lessen or prevent a serious and imminent threat to the health and safety of a person OR the public.

We are allowed to share information with Worker’s Compensation programs.

Please review HIPAA 1.050 for a complete listing of exceptions. Any questions as to whether a use or disclosure is permitted or required by law should be directed to the University Privacy Officer and/or University legal counsel.

 

HIPAA Consumer Protections

The HIPAA requirement to account for Disclosures is new to our operation. Accounting for disclosures is covered in Procedure 1.060 and Form 1. (Read through the slide).

We are required to account for all disclosures and maintain records for a period of 6 years.

 

HIPAA Consumer Protections

This document (Procedure 1.070) outlines the process for verifying requests for PHI.

Any requests for disclosures should be directed to the Privacy Officer.

The Privacy Officer will ask for some form of identification, such as a badge, id card, or request written on letterhead.

The following procedures should be used to verify requests for PHI that are not submitted in person. The Unit Privacy Officer shall verify identity of any phone requests by using a callback phone number before releasing any information. Fax requests should be verified by contacting the main number of the sending agency to verify the fax number. Each Health Care Component needs to set their facsimile machines to imprint the origin. All incoming faxes will be reviewed for imprint origin. Email request will be verified by calling the requestor by contacting the sending agency and being transferred to the individual who made the request. The request must be verified no matter what type of medium the requester used for the PHI.

 

HIPAA Consumer Protections

If an individual approaches you with a complaint about how their PHI has been handled, you must refer them to your Health Care Component Privacy Officer!

The Health Care Component Privacy officer will have them complete Missouri State HIPAA Form 1 to document and process the complaint. It is very important to refer any complaints or violations as soon as possible to the Health Care Component Privacy Officer.

The process is outlined in Missouri State HIPAA Procedure 1.140.

 

What Else Does HIPAA Require?

The Privacy Rule overrides any other state law unless the state law requires more protection to the individual. You will also need to consider how HIPAA fits with other federal laws.

For example, 42 CFR Part 2, which relates to the release of alcohol and drug abuse records, is only partially overridden by HIPAA. Contact your Health Care Component Privacy Office for guidance on how to handle PHI covered under the American Disabilities Act. Always ask first!

 
What Else Does HIPAA Require?

In the course of conducting research, individuals may obtain, create, use and /or disclose PHI. Researchers need to contact the Office of Sponsored Research Privacy Officer to ensure they have completed the proper documentation and training prior to conducting the research process. Missouri State HIPAA Procedure 1.055 covers this process in detail.

 

Questions?

If you do not understand something, have a question on a process, or receive information on a complaint or violation you need to contact your Health Care Component Privacy Officer for guidance and assistance. Always ask first when in doubt.

 

Key Things to Remember about Privacy

Listed are some key points to follow during the conduct of your job to safeguard PHI.

  • We must safeguard the individual’s records
  • Share only the information necessary to do the work
  • Individuals have the right to ask about use and disclosure of PHI
  • Missouri State has HIPAA Policies and Procedures that you need to read, understand, and follow.
  • If you have any questions contact your Health Care Component Security Officer for guidance.

We will now spend some time discussing the Security aspect of HIPAA.

 

Security: Integration with HIPAA Privacy

Security is a separate rule from Privacy under HIPAA. There are four security concepts that overlap with Privacy section of the law that we need to discuss.

 

Required Training Areas

The security issues that impact privacy are: General Security Awareness, System Access, Computer Virus Protection, and Password Management.

 

Purpose of Security

The purpose of security is to protect both the system and information from any unauthorized access and use of systems and PHI.

 

General Security Awareness

Data Security is covered in Missouri State HIPAA Procedure 1.180 and addresses both security and virus protection for the Missouri State network where the information is electronically stored.  A computer virus has the ability to damage data directly or degrade system performance.  User Access to Electronic Data is covered in Missouri State HIPAA Procedure 1.170 and addresses system access and password management.

 

General Security Awareness

Computer and electronic safety includes securing the use of equipment and storage of information to safeguard PHI.

 

Things to know about System Access

System access means who has the ability to sign on and use a computer. There are some things you can do to protect the access to your system such as:

Auto Log Off: Your system will automatically turns off after a period of non-use.

Don't let ANYONE use your machine while you are logged on

Auditing: reports on what happened to specific machines

Inform the University Security Officer of any discrepancies or issues.

HIPAA 1.170 governs User Access to Electronic Data

Termination: Make sure that you follow the Employee Termination Procedures outlined in Missouri State HIPAA 1.001 to terminate a users access to the system or building. It is very important to follow these procedures in order to protect access to PHI.

 

Password Management

On the next two slides we will provide you with some important guidelines to follow when setting up your passwords as part of security for accessing the system. Missouri State HIPAA Procedure 1.170 provides some additional information and guidelines to follow.

 

Password Management

This is a list of don’ts when choosing your password.

  • Share your password
  • Choose passwords that can be found in a dictionary
  • Choose passwords that use public or personal information linked to you (Social Security Number, Credit Card or ATM number, Birth dates)
  • Reuse old passwords or any variation
  • Use user id as your password

 

Password Management

These are recommendations for creating good and secure passwords.

  • Six to 8 characters
  • Minimum of 2 alpha and 1 numeric
  • Use upper and lower case characters
  • Change to a completely new password
  • Memorize your password

 

PC and System Protection

It is important to be vigilant in protecting electronically stored information and the system it is stored or transmitted on by following these regulations and reporting any discrepancies to University Security Officer immediately.

Please remember also that there is a required confidentiality statement that must appear at the bottom of each e-mail. One sure way to get hit with fines under HIPAA is to send an e-mail to 50 people when you only meant to send it to one! So be careful!

 

Key Things to Remember about Security

The key thing to remember for security is that it directly impacts privacy and our responsibility to safeguard PHI.

Security of both access and use of systems are important.

Ensure that you practice good password management and limit access to your system by others.

 

Any Questions?If you have any questions on the content of the presentation please contact the Privacy Officer for your Health Care Component.

If you have completed the training please go to the next slide to complete your registration and verification of training.

 

 

HIPAA Training Registration and VerificationBy completing this registration page you are verifying that you completed and agree to follow Missouri State HIPAA Procedures provided in this program and on the HIPAA website.

This training program and documents located on the Missouri State HIPAA website is available to you as a reference 24/7. If you any comments or questions about the training please contact the HR Training & Development Manager at X64592.

Please click on the following link to complete your registration and verification for completing the Missouri State HIPAA Training Program.

Certify Course Completion
 

 

Missouri State Homepage HOME
Copyright © 2003 Board of Governors, Missouri State University
URL: http://privacy.missouristate.edu
Maintained by Web Coordinator
Last Modified: January 08, 2007