HIPAA Compliance Training

FREE

How to Use this Course

About the Course HIPAA is huge, with hundreds of pages in the regulations. There's really no "one size fits all" - The best HIPAA training is tailored to a role. "What It's About" isn't as important as "How Do I Do It". This course includes the "highlights" as we see them. We have generalized as much as is reasonable - practical HIPAA training is about a mindset, not about the minutiae of the regulations.

HIPAA Overview

What does HIPAA provide? Select all that apply

HIPAA was intended to... improve portability and continuity of health insurance coverage combat waste, fraud, and abuse in health insurance and health care delivery promote the use of medical savings accounts improve access to long-term care services and coverage simplify the administration of health insurance Source: PUBLIC LAW 104–191—AUG. 21, 1996

So what does HIPAA protect? Any data in a patient's medical record that can be used to personally identify them - in HIPAA terms, protected health information (PHI).

Who must comply with HIPAA? Select all that apply

What Information is Protected?

Which of the following are personal health identifiers? Select all that apply

When in doubt, treat every piece of patient data as if it is protected information.

Every HIPAA violation is treated the same.

The Privacy Rule of 2000

The Privacy Rule applies to both print and electronic medical records.

HIPAA establishes only criminal penalties for unauthorized disclosure of personal health information.

The Privacy Rule requires patients to receive plain language notice of:

Health Plans An entity, including private insurers and payers; and, national and state government payers (Medicare, Medicaid), that provides or pays for medical care.

Healthcare Clearinghouses Any entity, including healthcare data exchanges, that processes healthcare data or transactions received from another entity.

Healthcare Providers Any person or organization - including physicians, hospitals and clinics - that delivers healthcare services.

Which of the following are considered Covered Entities? Select all that apply

The Security Rule

Security is not a one-time project.

It's an attitude, an ethos, laser-focused on protecting each patient's data.

Although the Security Rule is discusses ePHI (PHI in an electronic format)...

The restrictions and practices apply to "hard copies", too.

Security policies and procedures, if well-designed, do not need to be reviewed and updated.

Covered Entities (CE) must... Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. Ensure compliance with the rule by its workforce. Source: 45 C.F.R. § 164.306(a) - Security standards: General rules

To determine appropriate safeguards, CE's should conduct two analyses: Risk Analysis to discover potential unauthorized access and disclosure of PHI Security Analysis to identify security measures that can be reasonably implemented to address risks identified in the risk analysis

The HIPAA Security Rule safeguards include: Select all that apply

Administrative Safeguards include: Select all that apply

Breach and Enforcement

So, what's a breach look like? Records may be... stolen intentionally lost from improper IT procedures destroyed when a pipe bursts and destroys equipment (environmental) - compounded when there is no backup (human error) viewed by an unauthorized person (e.g., another patient “shoulder surfing” and viewing someone else's PHI (misuse) security credentials stolen through phishing or social engineering (more about these in the next lesson)

Is Sam posting a picture of a patient's unique tattoo to a social media site a breach?

Despite safeguards, a breach may occur.

A CE must, regardless of size...

report a breach to HHS through the OCR portal AND...

notify, without unreasonable delay, each affected individual in writing by first-class mail e-mail if the affected individual has agreed to receive such notices electronically

Under the Breach Rule, patients may be notified of a breach by:

Which of the following is an example of a "Social" breach?

Threats and Remedies

Healthcare information (PHI) is particularly ripe for abuse because it contains so many important personal identifiers (e.g., Social Security Numbers, bank account information).

There’s a common thread to all cybersecurity threats - except natural disasters - there’s a human behind them.

Now, let's take a closer look at external and internal threats.

PHI is valuable to hackers because...

Well-executed analyses; robust, layered safeguards; and, frequent reviews of safeguards are usually adequate to protect against external threats.

With internal threats, we have already let the person inside our perimeter.

They’re in the building, perhaps the office, and maybe even sitting next to us.

They have access and some level of trust already...

...meaning these threats typically take longer to detect.

Which of the following are true of internal threats?

Examples of internal threats affecting PHI include...

Best Practices

Only practices with more than 5,000 patients need Privacy and Security Officers.

In a small practice, one person can fulfill all of the roles required to implement, maintain, and monitor security safeguards.

Office Practices Be neat - do not let records lay about. Have policies and procedures. Meet frequently, even informally, to discuss privacy and security. Reward people who demonstrate good practices. Build a robust “social firewall” - make your people suspicious of any request for PHI. Control personal smartphone and device use - well, we can hope. Banish gossip - make it the office ethic. Create a collaborative atmosphere, a community of practice, in which all employees are encouraged to participate in building robust security practices.

Scenario #1

Dakota, a practice administrator, receives an email, Subject: Urgent: Payment Delayed from a consultant the practice uses.

The email states that "to receive your payment, the practice needs to immediately update its profile" and gives a link named "Business Associate Profile." It's signed with "Madison Sotillle," Accounts Payable Manager.

After clicking the link, a form appears, requesting standard BA information, like name, address, phone number, tax identifier, bank electronic transfer information, adherence to HIPAA standards. Dakota completes the form, clicks submit.

Three days later, the practice is notified by the bank that money had been withdrawn from their account and a line of credit has been requested.

A few days after that, a patient reported that their credit monitoring service reported a new mortgage application - that they did not make.

What happened? Select all that apply

What should Dakota have done? Select all that apply

Your office receives an unexpected email from a known consultant with a link to provide practice information, bank account information, and access credentials for the practice management system. What do you do?

Why do phishing attempts frequently include a link to an external site?

The Dakota and Premera Blue Cross cases were both adversely affected by phishing attacks.

Phishing attempts frequently appear as legitimate emails from known sources.

Scenario #2

On a Friday, Alex, the Senior Practice Manager for a large multi-specialty group, stopped for coffee while going home.

While paying, Alex did not notice that "homework" - an unencrypted thumb drive with information on 15 patients - had fallen to the floor.

Alex had dinner with friends, shopped for groceries, and went home and watched a movie.

On Sunday, Alex wanted to work using the thumb drive, and realized that it had been lost.

Despite calling the coffee shop, the grocery store, the restaurant and friends, the thumb drive could not be located.

What should Alex do? Select all that apply

When should the Office of Civil Rights be notified following a breach? Select all that apply

Which of the following practices can mitigate against losing unencrypted PHI? Select all that apply

HIPAA Knowledge Check

Certificate of Completion

This certificate is only an example for your organization to see how they can use their own certificates within EdApp. Please DO NOT contact EdApp Chat Support regarding this certificate. It is only an example.

This course does include a badge that you can earn when you have successfully completed all lessons.

Glossary of HIPAA Terms

Go to the Briefcase and download a copy of the Glossary of HIPAA Terms pdf. Modify, edit, and reuse as needed.

References