Hello, and welcome to HIPAA for Medical and Dental Offices. My name is Kelly Ogle, and I will be your presenter today. I am the Director of OSHA HIPAA Services for Doctors Management. I have over 20 years of experience in healthcare. I perform mock audits for OSHA and HIPAA, and I do training throughout the U.S. for those clients. I've presented for numerous organizations. I have my Bachelor's of Science degree in Dental Hygiene, my Master's in Organizational Psychology, and I work for Doctors Management as their OSHA and HIPAA Director. Our agenda for today is we will go over the HIPAA definition and the titles associated with HIPAA, transactions and codesets, privacy rule, personal identifiers, the notice of proxy practices, breach notification, security, and the enforcement of HIPAA. HIPAA is the Health Insurance Portability and Accountability Act of 1996. Article 1 came out, and it covered the healthcare access, portability, and renewability. That was its title. And it would regulate the ability and breadth of group health plans and certain individual health insurance policies. Essentially what it would do is it would make sure that people had the health plans, they were accessible, and they were able to be taken from one place to another as being portability and also renewability, meaning that it would carry over if you had existing problems. And then it talks about the IHRSA law and the Internal Revenue Code, and that's what it worked with. Title 2, Preventing Healthcare Fraud and Abuse, Administrative Simplification, and Medical Liability Reform. It would go into privacy, transactions, codesets, national identifiers, security, and enforcement. Now this applies to all covered entities. It also applies to business associates. We treat both covered entities and business associates the same way HIPAA does as far as making sure that they are doing what they're supposed to do in protecting the patient information. So they are held to the same standard in making sure that it is protected. Health plans, payers, clearinghouses, and providers that process any health data electronically. This is what is under the covered entities or those that actually work with the patient's information directly. When we talk about the Privacy Rule, its purpose is to protect identifiable information of the individual that relates to their condition, treatment, or payment, and it has to be transmitted or stored electronically or any other way. Protected health information, or what we call PHI, is that data that we need to protect or any data that can be linked to the individual concerning their health or payment. That includes the condition and the treatment. The identifiers will go over on the next slide, but every office needs a privacy officer. It can be the same person as you're using as a security officer or it can be a different person. The difference is the privacy officer is the one that is in charge of the complaint. They do the paperwork as far as investigating and seeing any privacy issues. And then we'll discuss the security issues on another slide. So personal identifiers, that can be pretty much anything that could link information together about the patient. You know, the stuff that pertains to the patient that could link them to their personal information as far as their treatment, healthcare, or payment. So what we're trying to do is not to have the name along with a treatment. So when we are hiding information, if you're just putting the treatment up and we're hiding their name and we can look at their name later or identify the person later, then that's what we would do to hide that information. And that's what we have to do across everything that we're doing to protect them as far as paperwork or if somebody else can see it. Now if there's papers laying on the doctor's desk and the patient's name, information, all that, and no patients are going to go in there and no patients are going to have access and nobody cleaning the office is going to have access, then that's one thing. But what we're trying to do is to eliminate the possibility of patient information getting out there. So it doesn't matter what it is, how we do it. The best thing to do is just practice it all the time. So it could have a relationship with the name and their treatment, their phone number, fax numbers. It may not even have their name on there, but it's got their phone. It can be taken, they could call that phone and find out who it is. Email addresses, date of birth, medical record numbers, any of these attached to that other information is going to give another person pertinent information they don't need to know. Protected health information. So the Notice of Privacy Practices, and most people unfortunately have not ever read it. That's patients, that's medical people. They don't actually take the time to read their own as a patient, but also read the one that we're giving our patients. So the Notice of Privacy Practices must be posted in the office and on the website and must be offered to each patient and given to anybody that requests it. So the three must be identical. You're using a Notice of Privacy Practices in your office, it has to be the same across the board. So it can't be different electronically in your computer and then what you give them is something different, or on your website, whatever. But it has to be done those three ways. That is a right of the patient to have. It needs to be posted somewhere in the office so that if they just wanted to walk up and read it, they could. Or they could get a tri-fold or something that's printed in there on the website so that they'll always have access to it. And then be offered to each patient or given to anyone who requests it, meaning as a new patient somebody gets it and if somebody walks up and says, hey, I want a copy of the Notice of Privacy Practices, I didn't get one last time or I lost mine or whatever, it's their right to have one. Tell patients how their information may be used and what their rights are under HIPAA concerning their PHI. So what it does is the Notice of Privacy Practices has all the information of what we're going to do with their information. So it's very important as a patient ourselves that we know how our information is going to be used within their office because marketing stuff could get put in there where they can market to you and we sign off on that. So it is not required, I don't want to say required, it's not a necessity that we actually get a signature, but we have to attempt, it is required we attempt to get a signature. So if a patient is going to be stubborn and doesn't want to sign something, we just have to make note of that and make sure that we put name, initial, you know, the patient's name, you know, whatever we need to put to make sure we're letting them know why this patient didn't sign it. So healthcare operations, when you say treatment, payment, healthcare operations, here is what is related to what we're supposed to be protecting. Or when you list it in the Notice of Privacy Practices, it's saying that these things are going to get done possibly in the office and so when these things get done, we are protecting your information but we may use your information to use it for like staff development or training new healthcare workers, things like that. We have to use their information in that consideration. So you're actually saying we're going to use your information for this. This is administrative, financial, legal, quality improvement, also customer service, complaint resolution, planning, fundraising, OSHA, CLIA, x-ray, audits, inspection, it goes on and on. Whatever business functions that we are doing that we have to do to get our job done to treat the patient is what's going to be covered under that Notice of Privacy Practices. So the patient's rights, along with the Notice of Privacy Practices, a lot of times it's included with that, but sometimes we actually have a sheet that says patient's rights. And it will include, it will break it down to what they have a right to, like a copy of their services, a copy of their record, you know, they can call them, they can let them know how they want to be contacted, those kind of things. All that information is going to go into their patient's rights. So the covered entity is not required to agree to any restrictions if a patient says, you know, hey, I don't want you to send that to any other doctor for, you know, I guess a second opinion or whatever. But sometimes the doctor must consult with someone else to get the best treatment for the patient. So sometimes that can override that. That is part of what the health care operations are. Maybe you want to discuss that with the patient. Maybe you want to let them know if they're, you know, being abstinent about wanting that information sent to somebody, but they have the right to request, includes the right to request the covered entity not disclose certain services or information relating to their service to their insurance plan. Now this is if they have private pay insurance, okay, if it has anything to do with state plans, things that are getting paid for that patient through federal government or state government or anything like that, it does not include that. We have to record that information so that they have a record of that and so they'll pay. Okay. It's different when it's our insurance, our personal insurance, because we don't necessarily have to turn that in. We're going to pay it out of pocket. You know, we're going to full pay everything out of pocket. They have to do that. Patients have the right to request confidential communications and I mentioned that where they have to, where they usually give us all that information of where they can be contacted, can you leave a message, so on and so forth, and your address and things like that. It can be like possibly maybe if they said, you know, we want this information sent here. Well, if the doctor or physician didn't feel comfortable in sending that information to a place that they're asking it sent to, maybe they're saying, you know, we want it sent to a public fax machine here, over here at Kinko's or whatever, you know, and we don't feel comfortable in releasing that information and sending it to that information because other people could have access to that information. We're only protecting that patient's information. We don't want them to, their breach to happen and it would be totally our fault if we agreed and send that to us. I'm sure HIPAA would have something to say to that. So patients have the right to file complaints and notice of privacy practices must inform patients how they may file complaints. So it does talk in there that they can contact a certain person usually, and you can either put their actual contact name and number and all that, or you can just put privacy officer if you need to do that. So contact information for the Office of Civil Rights is also on there, but we don't want them to call the Office of Civil Rights. We want them to call us first, and we want to take care of the situation before it goes or gets out of control, and they call the Office of Civil Rights about it. So healthcare always trumps HIPAA. What that means is that HIPAA is asking you to make sure that you protect the patient's information as long as you do that as much as you can when giving care to the patient. This can be special circumstances. Maybe you're treating a patient, and it's an emergency treatment, and you're trying to get the patient back as soon as possible, kind of like in emergency rooms and stuff. We try to get them to fill out paperwork and do all this and do all that, but in the case of an emergency and we're trying to get that patient back as soon as possible, we may worry about that paperwork later or have somebody else fill it out for the patient. We're not going to worry about all that paperwork that deals with HIPAA if we're trying to treat the patient, so the healthcare is always going to come first. Professional judgment may override certain requests, meaning if it is a ridiculous request by the patient for something to be done or not to be done or whatever, and it causes an issue with the treatment of the patient, this is just an example, then the covered entity can say, no, we have to do that, or we don't do that, or we can't help you with that. What you do here, what you see here, what you hear here, when you leave here, let it stay here. I call this the Las Vegas Rules of HIPAA, which means anything that you have going on in the office, not personally, but patient-wise, dealing with the patient's information, seeing the patient's information, working with the patient themselves, anything that goes on like that that must be kept private, must be private, stay private, and stay within the office walls, I mean, unless you're like discussing something with the doctor outside of work about the patient, to help the patient, but there shouldn't be conversations between employee to employee or doctor to employee that doesn't have anything to do with their actual treatment, payment, or healthcare operations. It has to benefit the patient in some way when you are discussing the patient. So I can't say, oh, Mr. So-and-so was in the office yesterday, yeah, did you see his toupee? You know, I mean, you know, it doesn't have anything to do with it, that doesn't have anything, or, you know, Dr. So-and-so came in yesterday or the other day, and, you know, his wife is blah, blah, blah, and, you know, he had this and this and this wrong, and da-da-da-da-da. Well, yeah, I was with the patient, and I worked with the patient, and I knew what was going on with the patient, but that doesn't mean I need to tell that to another employee that's not going to have that information unless they go into their chart and look at it, and that's another thing. Don't go into a chart and look at it unless you're actually going to treat the patient or it's helping the patient in some way, the reason that you go in there. So confidentiality agreement continues to the end of life. This is something that we sign as far as employees, and it makes sure that we know that anything that is spoken, read, or written, and we see anything there, we have to keep private, and we can get in trouble if we don't. And then the privacy protections beyond the end of life, meaning that it's limited up to 50 years after a person dies that their information must be kept private. So privacy issues, signed authorization, for any other reason that you are collecting information on the patient, if it doesn't have to do with treatment, payment, and healthcare operations, you need to have a signature, okay? And that includes training healthcare professionals or state or federal inspections, all that is covered under the Notice of Privacy Practices and within healthcare operations. This, in law enforcement, legal proceedings, governance functions, these are, for most of those, it doesn't require any kind of signature to release that information. Signed authorization must have an end date, so a patient may revoke it at any time also. That includes, if you're going to get a signature for marketing, releasing the PHI to the patient's employer, school, excuse note, these are things that you have to have signatures for. Posting photos, posting a picture of the patient, posting a picture of the patient's employer, school, excuse note, these are things that you have to have signatures for. Posting photos of any patient or any recognizable picture. Always get a signature. What you're doing is you're protecting the patient, for one thing, because you want to make sure that the patient agrees to do that, but you're also protecting yourself because the patient can come back and say, I didn't want that information seen, or, you know, why are you posting my picture here, and you have a signature saying you agreed to this. So, it's going to protect our offices in the long run. Access to records. A patient or personal representative, when they verify their ID, can have access to a patient's records, come in, pick it up, whatever, if the patient has it written in their chart that they want the information shared with that person or that person that can pick it up. You have to have it ready within 30 days of that request and get the request in writing and let the provider review it. Most of the time offices I've seen don't really go through that whole step. You know, a patient comes in, they request their records, and the patient gets their records. I mean, they don't send it to the employer or the provider and the provider goes, well, we don't want to release that information, or no, they can't have it. I've never seen that done. Usually somebody calls, you know, sends in a request, the admin staff, go ahead, turn around, get that information ready for them, and send it out. It would probably be in the case of if there was any kind of question, you know, questionable reason why they were asking for the information, and maybe you'd need to worry about it then. Provider may deny access based on professional judgment, like I was saying, if there's suspicion of violence, abuse, and neglect, and during participation of clinical trials. If you want a record and you request a record, or a patient does, in electronic format, the covered entity has the EMR, then they can ask for a copy, unless for some reason you cannot produce it, okay. Do not accept any kind of patient's media, like if they bring a USB, something, whatever, and make sure that you don't request that the patient buy something from you to give them the information. So, you can charge for copies of their record. Most of the time they're offered free for the first time, and then there is a fee set by each state to give them a copy of their records. You can offer a summary, and you may charge for developing the summary, plus the postage for mailing it, and must provide actual copies if patient prefers that over the summary. Minimum necessary, that's where I was discussing, if you have to discuss something with the doctor about the patient and it's work, it has to do with the patient's care at that moment, then that's fine, okay, but we want to reduce the amount of information that is being talked about in the office that is unnecessary, because the whole reason why is a possible breach, another patient overhearing it, somebody overhearing it that knows that person, could even be another employee, and that person comes to that doctor, knows that person that works in the office, tries to keep things private, and that could be a big no-no. I have seen that, actually. I know somebody that was going to an office, and their friend worked there, and that friend got into her friend's chart, and she didn't have a right to get into that information, because she wasn't treating or doing anything with that patient, and she got in there and found out that her records had been transferred, and she called her, and she said, why have your records been transferred, and she was actually harassing her about that information, and in that case, that is a HIPAA breach, that is a big no-no, and she could have got in trouble for it. So, use limited data sets where possible, keep uses and disclosures to the minimum necessary to perform the function, and then Health and Human Services will provide more information later. They want you to do everything possible to treat the patient correctly, but also keep their privacy. I mean, that's what they're asking you to do. When we discuss disclosures of electronic PHI, this will be done upon the request of the patient. The electronic version, if the patient agrees and you're able to do that through your EHR or through your system, this excludes uses or disclosures of treatment, payment, and health care operations. One free per year, and you can charge four more per year, and then goes back no more than six years for the EMR or the EHR. There is a proposal to include who accessed the PHI, so it's possible we will be seeing that real soon. So, personal representative can be pretty much anybody. Anybody that's going to come in and get information about the patient for the patient, or the patient comes in to get the information. Parent, guardian, friend, next-of-kin, executor of the estate, holder of durable power of attorney, and then you have to give professional judgment on these. Most of the time, we don't have an issue. A patient comes in, requests information, but let me just give you an example, and it may never happen to you. In a small town, somebody, it was an officer that came in, requested records, and there was no reason for him to come in and request those records, but he was saying that he needed that information about that patient, blah, blah, blah, for that reason, and the patient was, the patient didn't know that this person was accessing that information, and they were related to him, so there was no reason for that person to be getting that information, and he used his job to try to access that patient's information. So, minors, parents may be the personal representative. It all depends on the state laws and where they draw the line at what, who a minor is considered, what age. Provider may make decisions based on professional opinion to determine who may have access to the PHI, and this gets a little sticky, too, in divorce cases, and step-parents, and foster children, and it's very sticky on all that information, and HIPAA, you just have to make sure that that patient is protected. Business associate, when I was saying the covered entity earlier, is the person that actually deals with the patient's information directly, so they're the ones getting it from the patient, they're the ones working directly with the patient, those kind of things. Those others are business associates. Those are not part of that covered entity's workforce, but they are processing HIPAA health information or dealing with the health information that's given to them by the covered entity, okay, and so, like, almost like the covered entity is the go-between, but they have the direct access, the business associate does not, okay. They will have access, but it has to be given by that covered entity, so that can include billing companies, IT support, EHR, auditors that come in, business associates are held to the same privacy and security standards. Across the board, we all must treat that patient information as private as possible. Breach notification. Notification of a breach of unsecured PHI. There is, when you're talking about a breach, what you don't want to happen is the use or disclosure that compromises the security or privacy of unsecured protected health information. It's considered a breach unless proven otherwise, so it could do harm to the patient. You know, it's different if maybe you dropped, you know, some information on the floor, somebody picked it up, they saw somebody's name, you know, they were at a dentist office. It's not going to be this big thing. However, that is considered a breach. It was unsecured PHI, you could still see the patient's name, you knew where it belonged because they had the doctor's, you know, information on it, and it said test for such-and-such. So, you've got all the things in play there that are considered a breach, okay. Is it going to be this big blown-out thing where somebody gets hurt by it? Probably not. It doesn't have to be that serious, okay, but it still is a breach of that person's information, whether it hurts them or not, okay. So, PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of Department of Health and Human Services. The only methods currently approved are destruction and encryption, okay. So, I mean, you could hand some, some, you know, you've seen those things on movies or whatever, and they hand them the document for the lawyers or whatever, and all the stuff is actually marked out of it because that's protected information, okay. That's what you're doing is you're securing the PHI in that case, all right. So, if it is not made that way, and it's not marked out, and there are things identifiable on there, then it is a breach. It applies to covered entities and business associates. We already said it's across the board, but it can also, okay, breaches can occur with patients themselves or somebody other than that. It doesn't have to be, it will come, it will come on the shoulders of the covered entity and the business associate, but other people can cause the breach, okay. So, there are three exceptions to a breach. I'm not going to get totally into these, but how to explain this is, like, if I was discussing something with an employee, we were discussing something about a patient and about their health care, and it was important. It wasn't something we were just discussing to be discussing it. It was for their care, and another patient overhears it, okay. That's unintentional or inadvertent, okay. It just means we want, if that happens, it means that, yes, somebody overheard it, yes, it was considered a breach, however, it was unintentional, and the person that overheard it cannot do anything with that information. They can't use that information, okay. They didn't know that person. They may have just heard bits and pieces of something, and it, you know, or if somebody accidentally opened, maybe I was working at a station, and I walk up, and somebody else has signed in it, and I pull up a chart. Well, it was there, you know. I didn't go and seek it out. I was going to use the computer, and there was somebody else's information pulled up there. So, the person that allowed the computer to be open with their sign-in is the person that would get in trouble, okay. Although, it's not considered a full breach because I'm not going to take that information about that patient and go somewhere with it, okay. The only time that you can say that it's unintentional or inadvertent is if that information is not used against that patient for any reason. That helps, if that helps you understand it. The covered entity and business associate has a good faith. Believe that the unauthorized individual who received the information was unable to retain the information or use it, okay. Breach discovery response. Document as much information as possible. Report to the privacy and security officer. Whether it is a tiny breach, whether it is two people in the office, and they're discussing a patient, and they really shouldn't be, you report it, okay. You invest, I mean, you know, this stuff has to be kept private. I'm not telling you to go tattle on somebody, okay, but if it happened over and over again, and if you thought that there could be a problem with it, then you need to bring that up. If you see that going on, this could be, you know, it could cause a problem, especially if they're doing it around other patients that can overhear them. That individual will then, the person that is reported to, investigate, notify the affected individuals, report to the media and Health and Human Services, if indicated, and implement corrective actions. This means disciplinary actions, if possible. So, I'm not going to go and, if I hear two employees discussing something, I'm not going to go and call the individual that they were talking about, because it's probably not gotten out in any way, all right. That will not go much further than that. However, if I heard someone, or maybe I was taking some information somewhere, and it was paper charts, and I dropped a paper chart out of my car, and it was in a parking lot of a gym, and another person picked it up, and they called Health and Human Services and reported it, I'd be in a lot of trouble. But, what if they decided to call us and say, hey, I noticed that there was this chart, I realized that it belonged to your office, I wanted to get it back to you. Yes, we do have to report that to the individual. We have to let them what information, know what was affected, and know how we're talking, you know, taking care of it, and how we're dealing with the situation, okay. They do need to do that, because if something should happen, and there was maybe sensitive information in there about their credit card information, or about their Social Security card number, or their driver's license number, and that person that picked it up at the gym was a good citizen, but they took that information, or somebody else just took the information off of it, and could use it. So, we have to consider that information. Always think, what if? What if this happened? What if that happened? And, that's going to help you prepare yourself for something that could possibly happen. Confidentiality, non-disclosure agreement for the entire workforce, including volunteers, visitors, students. Violations may result in disciplinary actions, including termination, or fines, and an effect for life. So, if I sign one at a doctor's office that I'm working at today, but then I leave that practice, and I go to another one, that doesn't mean I can talk about the patients I just left at the other office, because I've signed a confidentiality contract, and I can't discuss those patients that I saw at the other office. Now, if I went over there and said, you know, we saw a lot of patients that have this, this, and this, that's one thing, okay. I didn't give any information out about the actual patient and who they were, but even that is questionable. We really don't need to talk about any of the patients out of context of taking care of them. Security rule, the purpose is to maintain integrity of the medical records, to ensure availability of PHI, make sure it's available to the patient, and to protect their patient confidentiality. Now, a security officer, when we were talking about privacy, and privacy covers absolutely anything and everything that has to do with the patient's information, and the patient's charts, all that, the security officer is the person that's going to take care of the security of the patient's information, and this could be electronic, it actually refers to electronic right now, this even covers like encryption, decryption, you know, how our emails are going out, how protected is the computer, do we have software that protects that, who's getting into what, when they're getting into it, do they need to be in it, all that information has, that belongs to the information on the security officer's shoulders. I mean, that's what the security officer will have to deal with. Again, you do not have to have the security officer and the privacy officer being the same person, you can have that separate. I often tell people that it's better that way, because a lot of people are not IT savvy, and if you have an IT person, then make them your security person. So, the security rules have administrative, technical, and physical. Administrative, an example of that would be a password management, putting in your password, changing your password every 60 days, every 90 days, whatever. Technical, where it's an automatic log off of your computer, you know, if your computer's pulled up, I leave the station for two seconds, it shuts down, so that somebody else comes along and they have to sign in themselves, or they have to, they can't sign into the computer, because it's under my sign-in. And then physical workstation use and security, meaning only certain people use certain computers, and they're located in certain areas, and we just have to keep track of all those. Then you've got administrative safeguards, and we went over that with being password management. It can also include workforce clearance, where we make sure that the person coming in, or we do a background check on those, or also we establish ways of like the person having security over certain things, or they can get into certain things into the computer, and the another person can only get into certain things in the computer. And so this person up front gets into more things, the person in the back gets into less things, you know. And so we determine that in what you need access to and that gets managed. Then you've got technical safeguards, unique user identification, emergency access procedure, automatic log off, encryption, decryption. These are all technical. And then physical. The contingency operations. What are you gonna do if the place, you're not able to access the patient's actual record at the moment that they come in and you're working with them? Can we still continue to see that patient? Yes, we can go in, we can still see the patient, we can address their problems, we can write this down on a piece of paper and we can put it in later into our computer. We have to have those contingency operations written somewhere in what we would do. Facility security plan, same thing. How are we gonna protect the information within the building? Access control, validation procedures, maintenance records, even the disposal of the device and media that we have. And that's what an IT person does too, which helps out a lot if there's a privacy officer and a security officer. Sample security controls. Installing and regularly updating the virus protection, set screen savers, and also somebody that's home-based transcriptionist or even auditor that does stuff, making sure that they know the regulations and policies of having a work computer at home and regulating it and also making sure that somebody else does not get onto that computer and use it or have access to that information. So every employee, when they are hired, there is a procedure where you must go through and then also during termination. And during the termination, you have to take away everything that they could have access to the patient information with. That can include just getting into the building with their keys, it could be changing the locks, if you can't get the key back. Also the computer password, you gotta block them out. There have been times that employees have not gotten blocked out of the system and they keep remotely accessing patient information. And unless somebody's checking that, you would never know. And then workstation precaution, position the monitors so where the patients can't read them, making sure that there's, even when they're walking by and on the big screen can see patient information, don't let that occur. Put one of those screens on it if you need to. And then passwords, require staffers to memorize their passwords. Do not write your password somewhere else. Do not store it somewhere else. Do not have it written somewhere. It has to be stored in your brain and that's all there is to say about that, okay? There's no, I guess, absolute way to protect a password unless it's just in your head. Because writing it down, someone can see it, someone can access it. If you're putting it close to your computer, we've seen it where it's a sticky note sitting on top of their computer so that they'll know how to log in every time they go in there. That's a no-no. When we talk about data backup, you know, a lot of us don't have to worry about that. A lot of clinical people, things like that. However, it is very important that you know that the information is backed up and you have access to it at any time if your computer should shut down and you have lost information. Like maybe for some reason at the office, it's just been wiped clean and you have nothing on there and you have to go back and that's why that contingency plan that we talked about earlier is very important because what they're gonna do is they're gonna take the CDs and all that stuff, our software CDs and all that, and download it back onto the computer and then they're going to restore that backup information onto the computer. Okay, so that means that they've gotta put their firewall back on there, they got to download the EMR system, they gotta do all that. If your computer totally crashes. Okay, so that's why that backup is very important. But unfortunately, unless we have it all written down, we can't prove to HIPAA that we have a contingency plan. You know, you could say, oh yeah, we do, this is what it is, blah, blah, blah, blah. Well, that doesn't mean that everybody at the office knows what it is and they know what to do, if it should happen, and that's why we have to have it all written down. That's why a lot of the reason why we have to have any documentation is to prove to somebody else that we're doing it and that we're taking care of it. Consider a web-based or cloud. And most of us do have that, some of us still have hard drives that we save. And if you do, make sure you store those in locked, waterproof, fireproof, safe, or box or whatever that in an event of the fire or a flood, that you still have access to those tapes. Passwords, like I said, do not write them down anywhere, do not leave them where somebody can do it or get to it, use it. Do not share it with anyone. Do not let anyone use it if it's on your computer and somebody comes along and says, hey, I wanna use your computer, can I use it? And you need to sign out. Change at least every six months. And most of the time, things will ask you to change about every 60 to 90 days, which is very important. Because, and I, for the longest time, never realized how important it was. However, I could change my password tomorrow. In two or three days, somebody could access my password and they could start accessing my information on my computer, in my phone or whatever else. And unless I change my password again, they will constantly have access to all that information that I'm putting in there. So it should be at least seven positions, random arrangement of letters, numbers, special characters, whatever you need to do. You could say, my brown dog jumps, exclamation mark. Or my one, and you could put a one, dog jumps, exclamation mark. Not easily guessed, no names, birthdays and such. Sample security issues. Always make sure that your facility is secured and that your server is secured. That if it is an area where a patient can have access to it walk by it, get to it. The same way with your fax or printer. You want it in an area where patients don't have readily access to it because they could pull something off of there when they walk by. That's why we don't let patients walk through the office by themselves. That's why we escort patients. That's why, you know, I didn't realize that. I mean, a lot, I mean, I have, a lot of times, actually my doctor does not escort me out the door. The nurse doesn't either. They'll just tell me to go on down there and turn or whatever. Well, I could get lost in their office and end up in the doctor's office with patient information sitting on the desk, okay? That's why they like for you to escort people throughout the office. Do not let hackers view or tamper with your data. Combine a firewall, router, device that connects your network to the internet, control access to data by requiring staffers to log on with user IDs and passwords. These are all sample security issues. Also personal devices that are used. Making sure like the laptops or your phones can be easily stolen or lost. So you have to consider where that information's going. So like I have a computer. However, my computer does not store, you know, heavy information that could get out to somebody. I don't have any kind of patient information or anything. I don't deal with any kind of patient information for my clients. However, if somebody got on and guessed my password into our server, I'm in trouble, okay? So they could steal my computer, figure out the password, get into the server and get all that information that is accessed. I told them actually not to give me access to all that other information because I didn't want that other information as a full thing because I didn't wanna be responsible for that. I didn't need access to it. There was nothing in there I needed to look at. And that way they could control that and I wouldn't have to worry about somebody stealing my computer and getting into it. Discarding a computer, remove and destroy the hard drive so that no one can retrieve any data. If you're giving it away, if you're selling it, anything like that, you better use a program that guarantees and gives you a certificate that all the information has been removed because then they can go back on that person and that did not remove that information. It's best to shred or melt all storage media. So if you have 10 CDs of backup CDs and you no longer need them, then you destroy them. Some reminders. Do not discuss PHI beyond the minimum necessary. Do not discuss PHI with unauthorized people. And sometimes you'll look at this and even when I read it, I think, well, that's silly, who would do that? But somebody could ask you, well, how did your day go? And you might just wanna tell them, hey, well, our neighbor came into the office today. Oh, who was your neighbor? Or, oh, which neighbor? If that's a neighbor, you know? And so that's where you're going to get in difficulty, especially if it's a small town. So you gotta watch what you say. Do not bring software from home. So like if I had a USB and I bring it to work and I stick it into the computer to download something, who knows if it might have something on it? I don't know. I mean, unless, it's better if you get it from work or if the work purchases it. If it happens, I would rather than purchase it and you pay it for them. You know, you pay for it or whatever, but they are responsible for getting it and they know that it is protected. If accessing email, do not open any attachments. Be sure when you are, if you can access any kind of email that you make sure that that email is from the person it's supposed to come from. So like if you got, I may be talking to one employee in our office, back and forth and back and forth, but then there's another one that I don't normally talk to on email. You know, I talk to her in the office, but I don't ever email her for any reason. Well, all of a sudden I get an email from her and I'm like, well, that's weird. And especially what it says in the email. And it said, and it gave me an attachment. And I'm like, I'm not opening that because you have to think of that. Don't just automatically go and go, oh, well, I wonder what they sent me. Do not question those emails, okay? And what I'll do is I'll go back to that person. If she's in the office, I'll just go ask her, but otherwise I'll send her a separate email and say, hey, I just got an email from you and it had attachment in it. Was there something you were trying to send me? And then they would say, no, no, no, no, you know, or whatever. And I turn that directly over to our IT person. I make sure that they know that this is a phishing scam or could be something going on there they can look at. Treat all hardware and software like controlled drugs. Keep it accurate inventory and current inventory. And that's another reason when we talk about contingency plans, this is where it's very important that you keep all your hardware and software controlled as far as having accurate and current inventory. Because when it crashes, you're gonna need to put all that information back on it. Or if somebody steals something, you're gonna need to say, wait a minute, okay, I'm missing a computer. Especially if you're like walking around with iPads and the iPad get missing. And that has happened. Keep doors closed if possible and consider an electronic lock between reception and clinical area. That's just a big thing because if somebody is in the clinical area and we've got somebody out in reception that they can't just walk back. Okay, open the door and walk back. Definitely make sure that your door is closed. But some people will, even if it's closed, they'll just walk on back. Some people just get familiar with the doctors or familiar with the office and they're like, hey, or if somebody is not sitting at the front desk immediately and you have to get up for two seconds to go tell a doctor something when you come back, there's been a patient that just walked through. Okay, so that lock is going to protect you in that situation. Enforcement, just like any other thing, a lot of times there's not somebody that, there's just too many people out there for them to come around all the time and see all of us. Okay, it's not gonna happen. So those regulations that we put out there, if something happens and a breach happens, guess what? Well, they're gonna come look at us, especially if it's a large breach. And that's when an inspection comes. A lot of times there's a complaint or there's been a breach and they find out about it and they come. But that's not gonna stop them from just showing up. That's their prerogative. They can show up and look at everything. So if it is, I did have somebody that actually was randomly chosen to have advanced notification by Health and Human Services and they wanted to use them as an example and they wanted to kind of walk through their office and use them as an example to say, okay, this is what you need to fix and this is what you need to do and show somebody how that works. Well, they panicked and fixed everything before they came and HIPAA knew it or Health and Human Services knew it. They said, why did you fix all these? We need to use that information. That's why we came. We wanted to see that there were, you know, little incidences of stuff happening. We wanted that, you know, to be able to use that. Penalties for violations sliding scale based on severity of the violation and the affected individuals that were, they could even be compensated if their information was breached. Maybe somebody bought a house with their information and got their credit card. They started a credit card, they went from there and, you know, especially older patients that we have and if they don't check things, you know, more regularly, they don't notice that things are gone or being used like that. So that's when it usually happens. The enforcement charges, penalties for violations. It can be anybody across the board. So a lot of times in other things, somebody takes the brunt of the penalties and like in OSHA, the employer takes the penalties. However, in HIPAA, anybody can take penalties. It depends on who was involved in the incident for those violations. Who did the violation? Were you a part of it? Even if it was by, I'm not gonna say by accident, but I was being careless when I did it and I knew better, but it happens. And then this happens, a breach occurs. So it can go from $100 to $50,000 with an annual cap of $1.5 million. Violation was not known and would not have been known even with reasonable diligence. It goes up from there because there was a reasonable cause, but there wasn't necessarily willful neglect. And then we're even going up from there. It goes from $1,000 to $50,000 and then $10,000 to $50,000 because there was willful neglect, but they were able to correct it very quickly and it would, or would have been known with reasonable diligence, okay? Which means I could have probably corrected that if I would have been doing what I should have been doing. And then 50,000 up to an annual cap or up to $1.5 million, and this is willful neglect. This is somebody that didn't care, somebody that didn't do or follow any procedures or didn't have a policy and procedure manual, didn't do annual training, didn't worry about what the employees were getting into, into the information, they were sharing information, they were stealing going on. I mean, it's just crazy. And that $1.5 million can be for one violation. So if you had 20 violations, they're gonna hit you hard with that pay or with that penalty. And I have known some to have very large penalties. Internal penalties, there's also HIPAA regulations emphasize disciplinary actions may help mitigate fines if enforced, accountability and responsibility for everyone across the board and individuals, not just employer may be penalized. And they actually like to see that the employer is making sure that these things happen, that they are covering and making sure that there's policies, procedures in place, and that there's disciplinary actions if something should go wrong. Thank you so much for attending this training. And we hope you learned a lot from it. For more information, please contact the American Academy of Dermatology at practicecenterataad.org. They will be able to assist you in any of those questions. Thank you.

HIPAA

medical offices

dental offices

privacy rules

breach notification

security

enforcement

privacy officers

data backup

HIPAA compliance