HIPAA Tutorial Instructions

 

[HIPAA Test Form]

HIPAA Tutorial Instructions

All employees of Palmer are required to complete the Health Insurance Portability and Accountability Act (HIPAA) tutorial and Test Your Understanding quiz each fiscal year. Upon completion of the tutorial, select the link to the quiz at the bottom of this page. Once you have selected your answers to the quiz, complete and submit the form at the bottom of the page to receive credit for completion of the tutorial.

You may access Palmer’s complete HIPAA Procedures and Computer Use Policy at http://w3.palmer.edu/infosrvc/hipaa.htm.

HIPAA Tutorial

Palmer’s HIPAA Responsibility

Palmer is required by law to maintain the privacy of health information of clinic patients. This Protected Health Information (PHI) is defined as any information, including demographic, that is created or received by a healthcare provider.

The Health Insurance Portability and Accountability Act (HIPAA) requirements explain why each patient in the clinic must receive a copy of the Notice of Privacy Rights and provide written authorization for the clinic to use and disclose Protected Health Information (PHI). The Notice of Protected Health Information Policy must also be posted in the clinic where patients can see it. Patients agree that their information may be used for treatment, quality assessment and evaluation, clinical education, and billing.

All Palmer employees are responsible for information privacy. Employees should

  • know what data is considered confidential;
  • understand and comply with the Palmer privacy standards;
  • report suspected or known breaches of confidentiality to the HIPAA Privacy or Security Officer immediately.

What does a HIPAA Privacy violation look like?

The HIPAA laws require that discretion is used to protect a patient’s privacy. According to the law, this includes visual and auditory interception of protected information.

Some examples of this would be:

  • Discussing the patient’s health with them in a space that does not provide auditory privacy.
  • Discussing a patient’s health with someone not related to their case. Discussions about patients should only be conducted in private areas and only between those who are authorized and have a “need to know.”
  • When discussing a patient for educational purposes with practitioners unrelated to the case, the patients name should never be used. The case may be discussed, but not any information that would identify the patient.
  • Performing adjustments or evaluation on patients in an area that is not visibly shielded is a violation of their right to privacy, unless they have given permission. Always make sure that the patient is comfortable.

It is tempting in a world as small as Palmer, to forget that patients are protected – “Yes, I know Joe Student; he’s a patient of mine.” Or “She has a great family, her husband comes to the clinic.” These comments are HIPAA violations.

Another key area for HIPAA privacy violations is with paperwork. Files sitting unattended may be viewed by someone who is not authorized. When working with files, viewing x-rays, entering billing codes, or any activity that involves protected information, make sure that the information is not in view of others who happen to be in the area.

  • Use a piece of paper to cover the name or file pages that are not in use.

  • If someone approaches you, turn the pages over to cover the protected information.

  • Shred pages when disposing of confidential information.

  • Don’t let protected information sit on a desk or fax machine in an office area that is not locked.

  • All faxes and e-mails should state the confidential nature of the contents and include instructions should the fax/ e-mail be misdirected.

How is the HIPAA Security Rule considered different from the HIPAA Privacy Rule?

Security involves electronic protected health information (E-PHI). Some examples are information that is on a computer screen, or saved in a hard drive, a disk, or a memory key. HIPAA Security involves protection of Palmer’s computer network and intelligent use of removable data.

Security measures are taken by the Palmer Information Services department through configuring workstations, servers, and network devices to

  • automatically expire passwords after 90 days, and
  • lock out a user account after three invalid password attempts.

Security awareness is as simple as

  • Not sharing your password to your computer.
  • Choosing a password that does not contain family names, a dictionary word, or a password that has been used recently.
  • Changing your password if you feel that it has been compromised.
  • Not writing down your password and leaving it in an obvious place such as: under your keyboard or on your monitor or desktop.
  • Having separate passwords for laptops, removable disks, and PDAs.
  • Not leaving disks with patient information on them in a place that others have access.
  • Protecting your computer from malicious software – viruses and spyware by updating and using virus scan protection and not downloading software.
  • Making sure that you log off of your computer when you are away from your office and by setting the time out feature at 5 minutes. This feature will require log-in after the computer is left for the set amount of time.
  • When e-mailing information about a patient, do not include identifying information, especially the patient’s name. Mark the e-mail as confidential. E-mailed messages and reports can be intercepted.

Business Associates – Outside Contractors

If you are working with a contractor who is not a Palmer employee, that person or their company is required to sign a Business Associates Agreement. This agreement makes them a partner in HIPAA compliance responsibility and appropriate use of Palmer property. Business Associates Agreements are coordinated and kept on file in the Business Office.

What to do if you notice a HIPAA violation

To report a HIPAA violation, contact the Palmer HIPAA Security Officer:

Dr. Clay McDonald
723 Brady Street
Davenport, IA 52803
(563) 884-5510

A reportable HIPAA violation includes but is not limited to

  • Unauthorized use of computers or systems with patient information.
  • Stolen computer equipment.
  • Improper use of patient information.
  • Unauthorized persons in restricted areas.

The Palmer HIPAA Policy and Procedures and Computer Use Policy can be viewed at http://w3.palmer.edu/infosrvc/hipaa.htm.

Criminal Penalties

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Test Your Understanding

Please complete the Test Your Understanding quiz. Once you have submitted the quiz, you will receive a form to complete and submit in order to receive credit for completing the HIPAA tutorial.