Welcome to today's training video provided by Doctors' Management. This training video was designed to provide you with a comprehensive overview of privacy and security regulations to ensure your practice fulfills the requirements established by the Health Insurance Portability and Accountability Act. Doctors' Management is a full-service consulting firm that helps physicians and healthcare professionals increase profits and productivity, mitigate compliance risks, and reduce stress for providers and staff. OSHA and HIPAA compliance is just one of the service lines we offer to assist practices by simplifying the business of medicine. Before we begin, there are some recent updates for 2024. Penalty amounts are adjusted annually to account for the cost of living increases. The last update applies to cases assessed on or after October 6, 2023. Civil violations have four penalty tiers and are usually issued in cases where the offender was unaware they were committing a HIPAA violation. Criminal violations have three penalty tiers and are usually issued in cases where individuals knowingly obtain or use personal health information without permission. Even in instances of unintentional HIPAA violations, the consequences can be severe. On February 16, 2024, the HHS Office for Civil Rights and the National Institute of Standards and Technology collaboratively released the publication of the final version of Special Publication 800-66 Revision 2, Implementing the HIPAA Security Rule, a Cybersecurity Resource Guide. The guide includes resources for covered entities and their business associates to help their understanding of the HIPAA security rule, drive compliance with the law, and bolster security. This is the latest action in this work for HHS, who released a Department-wide Cybersecurity Strategy for the Healthcare Sector in December 2023 and Voluntary Performance Goals to Enhance Cybersecurity Across the Health Sector in January 2024. Your presenter for this training is Kelly Ogle. Kelly received her Bachelor of Science in Dental Hygiene and her Master's Degree in Organizational Psychology. Kelly has over 20 years' experience in healthcare and has presented for numerous organizations. She has conducted OSHA and HIPAA training and performed mock audits for hundreds of clients throughout the U.S. Kelly will begin the presentation with an agenda and overview of HIPAA before diving into the specific rules affecting covered entities and business associates. You may pause the training video and resume as needed. Our agenda for today is we will go over the HIPAA definition and the titles associated with HIPAA, transactions and codesets, privacy rule, personal identifiers, the notice of privacy practices, breach notification, security, and the enforcement of HIPAA. HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA 1 came out and it covered the healthcare access, portability, and renewability. That was its title. And it would regulate the ability and breadth of group health plans and certain individual health insurance policies. Essentially what it would do is it would make sure that people had the health plans, they were accessible, and they were able to be taken from one place to another as being portability and also renewability, meaning that it would carry over if you had existing problems. And then it talks about the IHRSA law and the Internal Revenue Code. And that's what it worked with. Title 2, Preventing Healthcare Fraud and Abuse, Administrative Simplification and Medical Liability Reform. It would go into privacy, transactions, codesets, national identifiers, security, and enforcement. Now this applies to all covered entities. It also applies to business associates. We treat both covered entities and business associates the same way HIPAA does as far as making sure that they are doing what they're supposed to do in protecting the patient information. So they are held to the same standard in making sure that it is protected. Health plans, payers, clearinghouses, and providers that process any health data electronically. This is what is under the covered entities or those that actually work with the patient's information directly. When we talk about the Privacy Rule, its purpose is to protect identifiable information of the individual that relates to their condition, treatment, or payment and has to be transmitted or stored electronically or any other way. Protected health information, or what we call PHI, is that data that we need to protect or any data that can be linked to the individual concerning their health or payment. That includes the condition and the treatment. The identifiers will go over on the next slide, but every office needs a privacy officer. It can be the same person as you're using as a security officer or it can be a different person. The difference is the privacy officer is the one that is in charge of the complaint. They do the paperwork as far as investigating and seeing any privacy issues. And then we'll discuss the security issues on another slide. So personal identifiers, that can be pretty much anything that could link information together about the patient. You know, the stuff that pertains to the patient that could link them to their personal information as far as their treatment, healthcare, or payment. So what we're trying to do is not to have the name along with a treatment. So when we are hiding information, if you're just putting the treatment up and we're hiding their name and we can look at their name later or identify the person later, then that's what we would do to hide that information. And that's what we have to do across everything that we're doing to protect them as far as paperwork or, you know, if somebody else can see it. Now if there's papers laying on the doctor's desk and the doctor's, you know, the patient's name, information, all that, and no patients are going to go in there and no patients are going to have access and nobody cleaning the office is going to have access, then that's one thing. But what we're trying to do is to eliminate the possibility of patient information getting out there. So it doesn't matter what it is, how we do it. The best thing to do is just practice it all the time. So it could have a relationship, you know, with the name and their treatment, their phone number, fax numbers. It may not even have their name on there, but it's got their phone. It can be taken, they could call that phone and find out who it is. Email addresses, date of birth, medical record numbers, any of these attached to that other information is going to give another person pertinent information they don't need to know. Protected health information. So the Notice of Privacy Practices, and most people unfortunately have not ever read it. That's patients, that's, you know, medical people. They don't actually take the time to read their own as a patient, but also read the one that we're giving our patients. So the Notice of Privacy Practices must be posted in the office and on the website and must be offered to each patient given, and given to anybody that requests it. So the three must be identical. You're using a Notice of Privacy Practices in your office. It has to be the same across the board. So it can't be different electronically in your computer and then what you give them is something different, or on your website, whatever. But it has to be done those three ways. That is a right of the patient to have. It needs to be posted somewhere in the office so that if they just wanted to walk up and read it, they could, or they could get a tri-fold or something that's printed in there on the website so that they'll always have access to it, and then be offered to each patient or given to anyone who requests it, meaning as a new patient, somebody gets it. And if somebody walks up and says, hey, I want a copy of the Notice of Privacy Practices, I didn't get one last time, or I lost mine, or whatever, it's their right to have one. Tell patients how their information may be used and what their rights are under HIPAA concerning their PHI. So what it does is the Notice of Privacy Practices has all the information of what we're going to do with their information. So it's very important as a patient ourselves that we know how our information is going to be used within their office, because marketing stuff could get put in there where they can mark it to you, and we sign off on that. So it is not required, I don't want to say required, it's not a necessity that we actually get a signature, but we have to attempt, it is required we attempt to get a signature. So if a patient is going to be stubborn and doesn't want to sign something, we just have to make note of that and make sure that we put name, initial, the patient's name, whatever we need to put to make sure we're letting them know why this patient didn't sign it. So still working on the Notice of Privacy Practices, what that's for, as we explained on the last slide, is that it's to inform the patients on how we're using their PHI and their rights concerning their PHI. So it can be disclosed to help carry out treatment, payment, health care operations, and then also other purposes as far as law and with the patient's signed authorization. They have the right to inspect and possibly make copies of their records. The doctor does have rights to deny access, but we'll get that in another slide. Patients have the right to request amendments, the provider may override, that's the other one. Patients have the right to opt out of those fundraising communications. If the patient, you can charge the patient for that. Usually it's once per year free, but it's limited to disclosures made within the six years prior to the date the accounting is requested. So they can't go further back than the six years, and it may charge for additional lists or information off that chart. So health care operations, when you say treatment, payment, health care operations, here is what is related to what we're supposed to be protecting. Or when you list it in the notice of privacy practices, it's saying that these things are going to get done possibly in that office. And so when these things get done, we are protecting your information, but we may use your information to use it for like staff development or training new health care workers, things like that. We have to use their information in that consideration. So you're actually saying, we're going to use your information for this. This is administrative, financial, legal, quality improvement, also customer service, complaint resolution, planning, fundraising, OSHA, CLIA, x-ray, audits, inspection. It goes on and on. Whatever business functions that we are doing that we have to do to get our job done to treat the patient is what's going to be covered under that notice of privacy practices. So the patient's rights, along with the notice of privacy, patients have the right to request confidential communications. And I mentioned that where they usually give us all that information of where they can be contacted, can you leave a message, so on and so forth, and your address and things like that. It can be like possibly maybe if they said, you know, we want this information sent here. Well, if the doctor or physician didn't feel comfortable in sending that information to a place that they're asking it sent to, maybe they're saying, you know, we want it sent to a public fax machine here, over here at Kinko's or whatever, you know, and we don't feel comfortable in releasing that information and sending it to that information because other people could have access to that information. We're only protecting that patient's information. We don't want them to, their breach to happen, and it would be totally our fault if we agreed and send that to us. I'm sure HIPAA would have something to say to that. So patients have the right to file complaints and notice of privacy practices must inform patients how they may file complaints. So it does talk in there that they can contact a certain person usually, and you can either put their actual contact name and number and all that, or you can just put privacy officer if you need to do that. So contact information for the Office of Civil Rights is also on there, but we don't want them to call the Office of Civil Rights. We want them to call us first, and we want to take care of the situation before it goes or gets out of control and they call the Office of Civil Rights about it. So healthcare always trumps HIPAA. What that means is that HIPAA is asking you to make sure that you protect the patient's information as long as you do that as much as you can when giving care to the patient. This can be special circumstances. Maybe you're treating a patient and it's an emergency treatment, and you're trying to get the patient back as soon as possible, kind of like in emergency rooms and stuff. We try to get them to fill out paperwork and do all this and do all that, but in the case of an emergency and we're trying to get that patient back as soon as possible, we may worry about that paperwork later or have somebody else fill it out for the patient. We're not going to worry about all that paperwork that deals with HIPAA if we're trying to treat the patient. So the healthcare is always going to come first. Professional judgment may override certain requests, meaning if it is a ridiculous request by the patient for something to be done or not to be done or whatever, and it causes an issue with the treatment of the patient, this is just an example, then the covered entity can say, no, we have to do that, or we don't do that, or we can't help you with that. What you do here, what you see here, what you hear here, when you leave here, let it stay here. I call this the Las Vegas rules of HIPAA, which means anything that you have going on in the office, not personally, but patient wise, dealing with the patient's information, seeing the patient's information, working with the patient themselves, anything that goes on like that that must be kept private, must be private, stay private, and stay within the office walls. I mean, unless you're like discussing something with the doctor outside of work about the patient to help the patient, but there shouldn't be conversations between employee to employee or doctor to employee that doesn't have anything to do with their actual treatment payment or healthcare operations. It has to benefit the patient in some way when you are discussing the patient. So I can't say, oh, Mr. So-and-so was in the office yesterday. Yeah. Did you see his toupee? You know, I mean, it doesn't have anything to do with it. That doesn't have anything, or, you know, Dr. So-and-so came in yesterday or the other day, and, you know, his wife is blah, blah, blah, and, you know, he had this and this and this wrong, and da, da, da, da, well, yeah, I was with the patient, and I worked with the patient, and I knew what was going on with the patient, but that doesn't mean I need to tell that to another employee that's not going to have that information unless they go into their chart and look at it, and that's another thing. Don't go into a chart and look at it unless you're actually going to treat the patient or it's helping the patient in some way, the reason that you go in there. So confidentiality agreement continues to the end of life. This is something that we sign as far as employees, and it makes sure that we know that anything that is spoken, read, or written, and we see anything there, we have to keep private, and we can get in trouble if we don't. And then the privacy protections beyond the end of life, meaning that it's limited up to 50 years after a person dies that their information must be kept private. So privacy issues, signed authorization. For any other reason that you are collecting information on the patient, if it doesn't have to do with treatment, payment, and healthcare operations, you need to have a signature. And that includes training healthcare professionals or state or federal inspections. All that is covered under the Notice of Privacy Practices and within healthcare operations. This in law enforcement, legal proceedings, governance functions, for most of those, it doesn't require any kind of signature to release that information. The signed authorization must have an end date. So patient may revoke it at any time also. That includes, if you're going to get a signature for marketing, releasing the PHI to the patient's employer, school, excuse note, these are things that you have to have signatures for, posting photos of any patient or any recognizable picture. Always get a signature. What you're doing is you're protecting the patient for one thing, because you want to make sure that the patient agrees to do that, but you're also protecting yourself because the patient can come back and say I didn't want that information seen or you know why are you posting my picture here and you have a signature saying you agreed to this. So it's going to protect our offices in the long run. With the access to records the patient can request their records at any time and has to be provided for them within the 30 days of the request. It cannot go over that 30 days request. This is listed as one of those requirements by HIPAA and I do know that people have been fined for not getting those records within that reasonable time. Now provider can deny access by reviewable or unreviewable denial which we'll get to the next slide. In any format requested by patient and readily producible and agreed upon between the patient and the covered entity. Don't accept the patient's media and you do not require them to buy the media from the practice. Now may charge for copies we had talked about that earlier there is a fee that's charged but it can only be a reasonable cost based fee and only include the cost of labor for copying the PHI, the supplies for creating the copy, and the postage that was requested if the request was made to be mailed. Now as we mentioned in the other slide the unreviewable grounds for denial denying access without patient review. Okay so unreviewable. So a correctional facility or health care provider under their direction the inmates request would jeopardize themselves or other inmates or those that are involved in their care or transport. Also in research the individual has agreed upon the denial of access during that participation and knows that it will be reinstated upon the completion of that research even during the suspension of treatment as the research is still in progress. Also if information included in the subject is or included is subject to the Privacy Act law or meets those requirements. And lastly if the information obtained was from someone other than the provider with the understanding that there were confidentiality understandings and that the source to the information would possibly be revealed and we don't want that person known to that patient. So on the other hand as opposed to the one with unreviewable we do have reviewable grounds for denial. So denying access and the patient is given the opportunity to have the denial reviewed. So this review is done by another health care provider that's not involved in the initial denial and designated by the covered entity. So the covered entity must answer to whatever the other health care professional decides in that situation. So the professional judgment by the provider that the access could likely endanger the patient or another individual and the PHI discusses another person other than the health care provider and it could the access could actually cause harm to that person that's mentioned within the chart and then if the personal representative of the patient requests access and it is decided by the provider. Now this is the provider that lets them have access or reviewable data you know the denial when they're going through the denial process that the information would be seen would likely cause harm to the patient or another individual. When we're discussing minimum necessary what we want to do is just even if we're talking to someone and there are other patients around or other employees around that don't need to hear the information are not privy to the information. So it requires those covered entities to evaluate their practices and enhance safeguards as needed. So you don't want the unnecessary inappropriate access to occur. So that's why either talking you want the minimum necessary at that discussion going on around others and then also when you're actually having information in a form and you're giving it to someone else you want to write the minimum necessary that needs to get the job done on that form so that others are not exposed to that information. Okay so keep uses disclosures to the minimum necessary to actually perform the function of what you're actually doing. So if they want a copy of something and they didn't request the whole copy or the whole chart or anything like that give them the minimum necessary because then if something occurs to that record or if someone else gets access to that record they don't have all of that information about that patient when they just can have the information that the patient was requesting. Use limited data sets where possible and all identifiers removed and that's the big thing we just don't want the identifiers listed on there if we can help it and you're giving it straight directly to that patient they don't need all that information about their you know their address their phone numbers you know any kind of billing information or anything like that so we want to take that out of there to make sure that there's no breaches that occur. So personal representative can be pretty much anybody. Anybody that's going to come in and get information about the patient for the patient or the patient comes in to get the information. Parent, guardian, friend, next to kin, executor of the estate, holder of durable power of attorney and and then you have to give professional judgment on these. Most of the time we don't have an issue a patient comes in requests information but let me just give you an example and it may never happen to you in a small town somebody it was an officer that came in requested records and there was no reason for him to come in and request those records but he was saying that he needed that information about that patient blah blah blah for that reason and the patient was the patient didn't know that this person was accessing that information and they were related to him so there was no reason for that person to be getting that information and he used his job to try to access that patient's information. So minors parents may be the personal representative it all depends on the state laws and where they draw the line at what who a minor is considered what age provider may make decisions based on professional opinion to determine who may have access to the PHI and this gets a little sticky too in divorce cases and step parents and foster children and it's very sticky on all that information in HIPAA you just have to make sure that that patient is protected. Business associate when I was saying the covered entity earlier is the person that actually deals with the patient's information directly so they're the ones getting it from the patient they're the ones working directly with the patient those kind of things those others are business associates those are not part of that covered entities workforce but they are processing at the health information or dealing with the health information that's given to them by the covered entity okay and so like the almost like the covered entity is the go-between but they have the direct access the business associate does not okay they will have access but it has to be given by that covered entity so that can include billing companies IT support EHR auditors that come in business associates are held to the same privacy and security standards across the board we all must treat that patient information as private as possible. Breach notification. Notification of a breach of unsecured PHI there is when you're talking about a breach what you don't want to happen is the use or disclosure that compromises the security or privacy of unsecured protected health information it's considered a breach unless proven otherwise so it's it could do harm to the patient you know it's different if maybe you dropped a you know some information on the floor somebody picked it up they saw somebody's name you know they were in a dentist office it's not going to be this big thing however that is considered a breach it was unsecured PHI you could still see the patient's name you knew where it belonged because they had the doctor's you know information on it and it said test for such-and-such so you've got all the things in play there that are considered a breach okay is it going to be this big blown-out thing where somebody gets hurt by it probably not it doesn't have to be that serious okay but it still is a breach of that person's information whether it hurts them or not okay so PHI that has not been rendered unusable unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of Department of Health and Human Services the only methods currently approved are destruction and encryption okay so I mean you could hand some some you know you've seen those things on movies or whatever and they hand them the document for the lawyers or whatever all this stuff is actually marked out of it because that's protected information okay that's what you're doing is you're securing the PHI in that case all right so if it is not made that way and it's not marked out and there are things identifiable on there then it is a breach it applies to covered entities and business associates we already said it's across the board but it can also okay breaches can occur with patients themselves or somebody other than that it doesn't have to be it will come it will come on the shoulders of the covered entity in the business associate but other people can cause the breach okay so there are three exceptions to a breach I'm not going to get totally into these but how to explain this is like if I was discussing something with a employee we were discussing something about a patient and about their health care and it was important it wasn't something we were just discussing to be discussing it it was for their care and another patient overhears it okay that's unintentional or inadvertent okay it just means we want if that happens it means that yes somebody overheard it yes it was considered a breach however it was unintentional and the person that overheard it cannot do anything with that information they can't use that information okay they didn't know that person they may have just heard bits and pieces of something and it you know or if somebody accidentally opened maybe I was working at a station and I walk up and somebody else has signed in it and I pull up a chart what was it was there you know I didn't go and seek it out I was going to use the computer and there was somebody else's information pulled up there so the person that allowed the computer to be open with their sign in is the person that would get in trouble okay although it's not considered a full breach because I'm not going to take that information about that patient and go somewhere with it okay the only time that you can say that it's unintentional or inadvertent is if that information is not used against that patient for any reason that helps if that helps you understand it the covered entity and business associate has a good faith believe that the unauthorized individual who received the information was unable to retain the information or use it okay breach discovery response document as much information as possible report to the privacy and security officer whether it is a tiny breach whether it is two people in the office and they're discussing a patient and they really shouldn't be you report it okay you invest I mean you know this stuff has to be kept private I'm not telling you to go tattle on somebody okay but if it happened over and over again and if you thought that there could be a problem with it then you need to bring that up if you see that going on this could be you know it could cause a problem especially if they're doing it around other patients that can overhear them that individual will then the person that is reported to investigate notify the affected individuals report to the media and Health and Human Services if indicated and implement corrective actions this means disciplinary actions if possible so I'm not going to go and if I hear two employees discussing something I'm not going to go and call the individual that they were talking about because it's probably not gotten out in any way all right that will not go much further than that however if I heard someone or maybe I was taking some information somewhere and it was paper charts and I dropped a paper chart out of my car and it was in a parking lot of a gym and another person picked it up and they called Health and Human Services and reported it I'd be in a lot of trouble but what if they decided to call us and say hey I noticed that there was this chart I realized that it belonged to your office I wanted to get it back to you yes we do have to report that to the individual we have to let them what information know what was affected and know how we're talking you know taking care of it and how we're dealing with the situation okay they do need to do that because if something should happen and there was maybe sensitive information in there about their credit card information or about their Social Security card number or their driver's license number and that person that picked it up at the gym was a good citizen but they took that information or somebody else just took the information off of it and could use it so we have to consider that information always think what if what if this happened what if that happened and that's going to help you prepare yourself for something that could possibly happen confidentiality non-disclosure agreement for the entire workforce including volunteers visitors students violations may result in disciplinary actions including termination or fines and an effect for life so if I sign one at a doctor's office that I'm working at today but then I leave that practice and I go to another one that doesn't mean I can talk about the patients I just left at the other office because I've signed a confidentiality contract and I can't discuss those patients that I saw at the other office now if I went over there and said you know we saw a lot of patients that have this this and this that's one thing okay I didn't give any information out about the actual patient and who they were but even that is questionable we really don't need to talk about any of the patients out of context of taking care of them security rule the purpose is to maintain integrity of the medical records to ensure availability of PHI make sure it's available to the patient and to protect their patient confidentiality now a security officer when we were talking about privacy and privacy covers absolutely anything and everything that has to do with the patient's information and the patient's charts all that the security officer is the person that's going to take care of the security of the patient's information and this could be electronic it actually refers to electronic right now this even covers like encryption decryption you know how our emails are going out how protected is the computer do we have software that protects that who's getting into what when they're getting into it do they need to be in it all that information has that belongs to the information on the security officer's shoulders I mean that's what the security officer will have to deal with again you do not have to have the security officer and the privacy officer being the same person you can have that separate I often tell people that it's better that way because a lot of people are not IT savvy and if you have an IT person then make them your security person so the security rules have administrative technical and physical administrative an example of that would be a password management putting in your password changing your password every 60 days every 90 days whatever technical where it's an automatic log off of your computer you know if your computers pulled up I'll leave the station for two seconds it shuts down so that somebody else comes along and they have to sign in themselves or they have to they can't sign into the computer because it's under my sign-in and then physical workstation use and security meaning only certain people use certain computers and they're located in certain areas and we just have to keep track of all those then you've got administrative safeguards and we went over that with being password management It can also include workforce clearance where we make sure that the person coming in or we do a background check on those or also we establish ways of like the person having security over certain things or they can get into certain things into the computer and another person can only get into certain things in the computer and so this person up front gets into more things the person in the back gets into less things you know and so we determine that in what you need access to and that gets managed. Then you've got technical safeguards, unique user identification, emergency access procedure, automatic log off, encryption, decryption. These are all technical and then physical. The contingency operations, what are you going to do if the place you're not able to access the patient's actual record at the moment that they come in and you're working with them? Can we still continue to see that patient? Yes, we can go in, we can still see the patient, we can address their problems, we can write this down on a piece of paper and we can put it in later into our computer. We have to have those contingency operations written somewhere in what we would do. Facility security plan, same thing, how are we going to protect the information within the building, access control, validation procedures, maintenance records, even the disposal of the device and media that we have and that's what an IT person does too which helps out a lot if there's a privacy officer and a security officer. Sample security controls, installing and regularly updating the virus protection, set screen savers, and also somebody that's home-based transcriptionist or even auditor that does stuff, making sure that they know the regulations and policies of having a work computer at home and regulating it and also making sure that somebody else does not get on to that computer and use it or have access to that information. So every employee when they are hired there is a procedure where you must go through and then also during termination and during the termination you you have to take away everything that they could have access to the patient information with. That can include just getting into the building with their keys, it could be changing the locks if you can't get the key back, also the computer password, you got to block them out. There have been times that employees have not gotten blocked out of the system and they keep remotely accessing patient information and unless somebody's checking that you would never know. And then workstation precaution, position the monitors so the patients can't read them, making sure that there's even when they're walking by and on the big screen can see patient information. Don't let that occur. Put one of those screens on it if you need to. And then passwords, require staffers to memorize their passwords. Do not write your password somewhere else, do not store it somewhere else, do not have it written somewhere. It has to be stored in your brain and that's all there is to say about that, okay. There's no, I guess, absolute way to protect a password unless it's just in your head because writing it down someone can see it, someone can access it. If you're putting it close to your computer, we've seen it where it's a sticky note sitting on top of their computer so that they'll know what how to log in every time they go in there. That's a no-no. When we talk about data backup, you know, a lot of us don't have to worry about that. A lot of clinical people, things like that. However, it is very important that you know that the information is backed up and you have access to it at any time if your computer should shut down and you have lost information. Like maybe for some reason at the office it's just been wiped clean and you have nothing on there and you have to go back and that's why that contingency plan that we talked about earlier is very important because what they're going to do is they're going to take the CDs and all that stuff or software CDs and all that and download it back onto the computer and then they're going to restore that backup information onto the computer. Okay, so that means that they've got to put their firewall back on there. They got to download the EMR system. They got to do all that if your computer totally crashes. Okay, so that's why that backup is very important but unfortunately unless we have it all written down we can't prove to HIPAA that we have a contingency plan. You know, you could say, oh yeah we do this is what it is blah blah blah blah. Well, that doesn't mean that everybody at the office knows what it is and they know what to do if it should happen and that's why we have to have it all written down. That's why a lot of the reason why we have to have any documentation is to prove to somebody else that we're doing it and we're taking care of it. Consider web-based or cloud and most of us do have that. Some of us still have hard drives that we save and if you do make sure you store those in locked, waterproof, fireproof, safe, or box, or whatever that in an event of the fire or a flood that you still have access to those tapes. Passwords. Like I said, do not write them down anywhere. Do not leave them where somebody can do it or get to it. Use it. Do not share it with anyone. Do not let anyone use it if it's on your computer and somebody comes along says, hey I want to use your computer. Can I use it? And you need to sign out. Change at least every six months and most of the time things will ask you to change about every 60 to 90 days which is very important because and I for the longest time never realized how important it was. However, I could change my password tomorrow. In two or three days somebody could access my password and they could start accessing my information on my computer in my, you know, phone or whatever else and unless I change my password again, they will constantly have access to all that information that I'm putting in there. So it should be at least seven positions, random arrangement of letters, numbers, special characters, whatever you need to do. You could say my brown dog jumps! Or my one, and you could put a one, dog jumps! Not easily guessed. No names, birthdays, and such. Sample security issues. Always make sure that your facility is secured and that your server is secured. That if it is an area where a patient can have access to it, walk by it, get to it. The same way with your fax or printer. You want it in an area where patients don't have readily access to it because they could pull something off of there when they walk by. That's why we don't let patients walk through the office by themselves. That's why we escort patients. That's why, you know, I didn't realize that. I mean a lot, I mean I have a lot of times, actually my doctor does not escort me out the door. The nurse doesn't either. They'll just tell me to go on down there and turn or whatever. Well, I could get lost in their office and end up in the doctor's office with patient information sitting on the desk. Okay, that's why they like for you to escort people throughout the office. Do not let hackers view or tamper with your data. Combine a firewall, router, device that connects your network to the internet. Control access to data by requiring staffers to log on with user IDs and passwords. These are all sample security issues. Also, personal devices that are used. Making sure like the laptops or your phones can be easily stolen or lost. So, you have to consider where that information is going. So, like I have a computer. However, my computer does not store, you know, heavy information that could get out to somebody. I don't have any kind of patient information or anything. I don't deal with any kind of patient information for my clients. However, if somebody got on and guessed my password into our server, I'm in trouble. Okay, so they could steal my computer, figure out the password, get into the server, and get all that information that is access. I told them actually not to give me access to all that other information because I didn't want that other information as a full thing because I didn't want to be responsible for that. I didn't need access to it. There was nothing in there I needed to look at and that way they could control that and I wouldn't have to worry about somebody stealing my computer and getting into it. Discarding a computer, remove and destroy the hard drive so that no one can retrieve any data. If you're giving it away, if you're selling it, anything like that, you better use a program that guarantees and gives you a certificate that all the information has been removed because then they can go back on that person and that did not remove that information. It's best to shred or melt all storage media. So if you have 10 CDs of backup CDs and you no longer need them, then you destroy them. Some reminders, do not discuss PHI beyond the minimum necessary. Do not discuss PHI with unauthorized people and you know sometimes you'll look at this and even when I read it I think, well that's silly, who would do that? But somebody could ask you, well how did your day go? And you might just want to tell them, hey you know, well we ran into our neighbor came into the office today. Oh who was your neighbor? Or oh which neighbor if that's a neighbor? You know and so that's where you're going to get in difficulty especially if it's a small town. So you got to watch what you say. Do not bring software from home. So like if I had a USB and I bring it to work and I stick it into the computer to download something, who knows if it you know might have something on it. I don't know. I mean unless it's it's better if you get it from work or if the work purchases it. If it happens, I would rather than purchase it and you pay it for them. You know you pay for it or whatever, but they are responsible for getting it and they know that it is protected. If accessing email, do not open any attachments. Be sure when you are, if you can access any kind of email, that you make sure that that email is from the person it's supposed to come from. So like if you got, I may be talking to one employee in our office back and forth and back and forth, but then there's another one that I don't normally talk to on email. You know I talk to her in the office, but I don't ever email her for any reason. Well all of a sudden I get an email from her and I'm like, well that's weird. And especially what it says in the email and it said and it gave me an attachment and I'm like, I'm not opening that because you have to think of that. Don't just automatically go and go, oh well wonder what they sent me. Do not question those emails, okay. And what I'll do is I'll go back to that person. If she's in the office, I'll just go ask her, but otherwise I'll send her a separate email and say, hey I just got an email from you and it had attachment in it. Was there something you were trying to send me? And then they would say, no, no, no, no, you know or whatever. And I turn that directly over to our IT person. I make sure that they know that this is a phishing scam or could be something going on there they can look at. Treat all hardware and software like controlled drugs. Keep it accurate inventory and current inventory. And that's another reason when we talk about contingency plans, this is where it's very important that you keep all your hardware and software controlled as far as having accurate and current inventory. Because when it crashes, you're going to need to put all that information back on it. Or if somebody steals something, you're going to need to say, wait a minute, one, two, three, four, okay I'm missing a computer. Especially if you're like walking around with iPads and the iPad get missing. And that has happened. Keep doors closed if possible and consider an electronic lock between reception and clinical area. That's just a big thing because if somebody is in the clinical area and we've got somebody out in reception that they can't just walk back. Okay, open the door and walk back. Definitely make sure that your door is closed. But some people will, even if it's closed, they'll just walk on back. Some people just get familiar with the doctors or familiar with the office and they're like, hey, or somebody's not sitting at the front desk immediately and you have to get up for two seconds to go tell a doctor something, you come back, there's been a patient that just walked through. Okay, so that lock is going to protect you in that situation. Enforcement. Just like any other thing, a lot of times there's not somebody that, there's just too many people out there for them to come around all the time and and see all of us. Okay, it's not going to happen. So those regulations that we put out there, if something happens and a breach happens, guess what? Well, they're going to come look at us. Especially if it's a large breach and that's when an inspection comes. A lot of times there's a complaint or there's been a breach and they find out about it and they come. But that's not going to stop them from just showing up. That's their prerogative. They can show up and look at everything. So if it is, I did have somebody that actually was randomly chosen to have advanced notification by Health and Human Services and they wanted to use them as an example and they wanted to kind of walk through their office and use them as an example to say, okay, this is what you need to fix and this is what you need to do and show somebody how that works. Well, they panicked and fixed everything before they came and HIPAA knew it, you know, or Health and Human Services knew it. They said, why did you fix all these? We need to use that information. That's why we came. We wanted to see that there were, you know, little incidences of stuff happening. We wanted that, you know, to be able to use that. Penalties for violations, sliding scale based on severity of the violation and the affected individuals that were, they could even be compensated if their information was breached. Maybe somebody bought a house with their information and got their credit card. They start a credit card. They went from there and, you know, especially older patients that we have and if they don't check things, you know, more regularly, they don't notice that things are gone or being used like that. So, that's when it usually happens. Internal penalties. There's also HIPAA regulations. Emphasize disciplinary actions may help mitigate fines if enforced. Accountability and responsibility for everyone across the board and individuals, not just employer, may be penalized. And they actually like to see that the employer is making sure that these things happen. That they are covering and making sure that there's policies, procedures in place and that there's disciplinary actions if something should go wrong. Now, there are site-specific reminders. So, there's things that can occur and how you're handling your paperwork and what you're doing within the office. So, I do know and I've worked with plastic surgeons and dermatologists and they, a lot of times, use cameras and they're dealing with that and you have to actually back those up and delete the information off those cameras or iPads or whatever you have when you've stored them there, okay? Because if they're lost or stolen, you don't usually know how much information you've lost. That PHI, if they were, you know, if there was no way that they could get to it, it went into the system or the software that you created or have through your office and they can't get to that, then that's one thing. But, a lot of times what happens is you store that. It's not a protected space and if someone steals a camera or it gets lost, you have lost that information, that protected health information, those pictures of those patients and those specific pictures of those patients of the condition that they may have or something that they had worked on, okay? Don't leave any kind of paperwork or screens on computers where the patients can have them or view of other patients. A lot of times you have computers up in areas where patients might be walking by or they'll stop and stand and talk to you, then you want that information not on those computers and that paperwork turned over. You do not want that. And then also keep that discussion to a patient about their information and also to a co-worker about a patient's information to a minimum because you don't want people to overhear you. You don't want to be too loud if you're discussing things from room to room and you don't want someone in one room to hear from another room. Just be careful and mindful of those things. That's how you're going to stay out of trouble. Thank you so much for attending today's webinar. If you have any questions, please reach out to AAD Compliance website at aad.org backslash compliance or you can reach out by email at practicecenter, no spaces, at aad.org. Thank you again and have a great day.

HIPAA regulations

Health Insurance Portability and Accountability Act

Privacy and security regulations

Compliance

Patient information protection

Penalty adjustments

HIPAA Security Rule Cybersecurity Resource Guide

Privacy Rule

Breach notification

Notice of Privacy Practices