This course is free and editable. Yours to re-brand and tailor to your needs!
Click through the microlessons below to preview this course. Each lesson is designed to deliver engaging and effective learning to your team in only minutes.
This course is free and completely editable. Update the text, add your own slides or re-brand the entire course — with our no-code authoring tool, the sky’s the limit!
Love it how it is? Train your team for free with this course.
Preparing your lesson...
Follow the interactions on each screen or click the arrows to navigate between lesson slides.
How to Use this Course
About the Course HIPAA is huge, with hundreds of pages in the regulations. - There's really no "one size fits all" - The best HIPAA training is tailored to a role. - "What It's About" isn't as important as "How Do I Do It". - This course includes the "highlights" as we see them. - We have generalized as much as is reasonable - practical HIPAA training is about a mindset, not about the minutiae of the regulations.
What does HIPAA provide? Select all that apply
HIPAA was intended to... improve portability and continuity of health insurance coverage ## combat waste, fraud, and abuse in health insurance and health care delivery ## promote the use of medical savings accounts ## improve access to long-term care services and coverage ## simplify the administration of health insurance Source: PUBLIC LAW 104–191—AUG. 21, 1996
So what does HIPAA protect? Any data in a patient's medical record that can be used to personally identify them - in HIPAA terms, protected health information (PHI).
Who must comply with HIPAA? Select all that apply
What Information is Protected?
Which of the following are personal health identifiers? Select all that apply
When in doubt, treat every piece of patient data as if it is protected information.
Every HIPAA violation is treated the same.
The Privacy Rule of 2000
The Privacy Rule applies to both print and electronic medical records.
HIPAA establishes only criminal penalties for unauthorized disclosure of personal health information.
The Privacy Rule requires patients to receive plain language notice of:
Health Plans An entity, including private insurers and payers; and, national and state government payers (Medicare, Medicaid), that provides or pays for medical care.
Healthcare Clearinghouses Any entity, including healthcare data exchanges, that processes healthcare data or transactions received from another entity.
Healthcare Providers Any person or organization - including physicians, hospitals and clinics - that delivers healthcare services.
Which of the following are considered Covered Entities? Select all that apply
The Security Rule
Security is not a one-time project.
It's an attitude, an ethos, laser-focused on protecting each patient's data.
Although the Security Rule is discusses ePHI (PHI in an electronic format)...
The restrictions and practices apply to "hard copies", too.
Security policies and procedures, if well-designed, do not need to be reviewed and updated.
Covered Entities (CE) must... Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. ### Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. ### Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. ### Ensure compliance with the rule by its workforce. Source: 45 C.F.R. § 164.306(a) - Security standards: General rules
To determine appropriate safeguards, CE's should conduct two analyses: Risk Analysis to discover potential unauthorized access and disclosure of PHI # Security Analysis to identify security measures that can be reasonably implemented to address risks identified in the risk analysis
The HIPAA Security Rule safeguards include: Select all that apply
Administrative Safeguards include: Select all that apply
Breach and Enforcement
So, what's a breach look like? Records may be... ## stolen intentionally ## lost from improper IT procedures ## destroyed when a pipe bursts and destroys equipment (environmental) - compounded when there is no backup (human error) ## viewed by an unauthorized person (e.g., another patient “shoulder surfing” and viewing someone else's PHI (misuse) ## security credentials stolen through phishing or social engineering (more about these in the next lesson)
Is Sam posting a picture of a patient's unique tattoo to a social media site a breach?
Despite safeguards, a breach may occur.
A CE must, regardless of size...
report a breach to HHS through the OCR portal AND...
notify, without unreasonable delay, each affected individual in writing by first-class mail e-mail if the affected individual has agreed to receive such notices electronically
Under the Breach Rule, patients may be notified of a breach by:
Which of the following is an example of a "Social" breach?
Threats and Remedies
Healthcare information (PHI) is particularly ripe for abuse because it contains so many important personal identifiers (e.g., Social Security Numbers, bank account information).
There’s a common thread to all cybersecurity threats - except natural disasters - there’s a human behind them.
Now, let's take a closer look at external and internal threats.
PHI is valuable to hackers because...
Well-executed analyses; robust, layered safeguards; and, frequent reviews of safeguards are usually adequate to protect against external threats.
With internal threats, we have already let the person inside our perimeter.
They’re in the building, perhaps the office, and maybe even sitting next to us.
They have access and some level of trust already...
...meaning these threats typically take longer to detect.
Which of the following are true of internal threats?
Examples of internal threats affecting PHI include...
Only practices with more than 5,000 patients need Privacy and Security Officers.
In a small practice, one person can fulfill all of the roles required to implement, maintain, and monitor security safeguards.
Office Practices Be neat - do not let records lay about. Have policies and procedures. Meet frequently, even informally, to discuss privacy and security. Reward people who demonstrate good practices. Build a robust “social firewall” - make your people suspicious of any request for PHI. Control personal smartphone and device use - well, we can hope. Banish gossip - make it the office ethic. Create a collaborative atmosphere, a community of practice, in which all employees are encouraged to participate in building robust security practices.
Dakota, a practice administrator, receives an email, Subject: Urgent: Payment Delayed from a consultant the practice uses.
The email states that "to receive your payment, the practice needs to immediately update its profile" and gives a link named "Business Associate Profile." It's signed with "Madison Sotillle," Accounts Payable Manager.
After clicking the link, a form appears, requesting standard BA information, like name, address, phone number, tax identifier, bank electronic transfer information, adherence to HIPAA standards. Dakota completes the form, clicks submit.
Three days later, the practice is notified by the bank that money had been withdrawn from their account and a line of credit has been requested.
A few days after that, a patient reported that their credit monitoring service reported a new mortgage application - that they did not make.
What happened? Select all that apply
What should Dakota have done? Select all that apply
Your office receives an unexpected email from a known consultant with a link to provide practice information, bank account information, and access credentials for the practice management system. What do you do?
Why do phishing attempts frequently include a link to an external site?
The Dakota and Premera Blue Cross cases were both adversely affected by phishing attacks.
Phishing attempts frequently appear as legitimate emails from known sources.
On a Friday, Alex, the Senior Practice Manager for a large multi-specialty group, stopped for coffee while going home.
While paying, Alex did not notice that "homework" - an unencrypted thumb drive with information on 15 patients - had fallen to the floor.
Alex had dinner with friends, shopped for groceries, and went home and watched a movie.
On Sunday, Alex wanted to work using the thumb drive, and realized that it had been lost.
Despite calling the coffee shop, the grocery store, the restaurant and friends, the thumb drive could not be located.
What should Alex do? Select all that apply
When should the Office of Civil Rights be notified following a breach? Select all that apply
Which of the following practices can mitigate against losing unencrypted PHI? Select all that apply
HIPAA Knowledge Check
Certificate of Completion
This certificate is only an example for your organization to see how they can use their own certificates within EdApp. Please DO NOT contact EdApp Chat Support regarding this certificate. It is only an example.
This course does include a badge that you can earn when you have successfully completed all lessons.
Glossary of HIPAA Terms
Go to the Briefcase and download a copy of the Glossary of HIPAA Terms pdf. Modify, edit, and reuse as needed.
It was incredible
It was informative
The introduction and description was helpful and detailed. It made it very easy to see that HIPAA is dependent upon my particular job and on current changes that may affect things.