HIPAA Training

HIPAA Training.

Health Insurance Portability and Accountability Act (HIPAA) Introduction to HIPAA.

[Audio] HIPAA gives people more control over who has access to their protected health information. It protects their privacy. It does this by establishing a national standard and guidelines for the handling, storage, and sharing of protected health information. HIPAA is a set of national rules that protect everyone's health information. HIPAA also helps people to keep health insurance between jobs. This is the "Health Insurance Portability" part of the law. The "Accountability" part of the law is designed to protect the security and confidentiality of health information. Before HIPAA, there were no national standards for how health information was handled and stored. Privacy policies varied from state to state. People's private information received different levels of security. It depended on where they lived. This left people vulnerable. Others could know or use their information inappropriately. HIPAA gives people more control over information and privacy. People can know how their health information is being shared and used. People can make corrections to their medical records. HIPAA provides guidance for professionals on how to share health information. This includes how they share it with other professionals and caregivers, as well as general practice. Professionals can vary in their understanding of what is acceptable to share and with whom. HIPAA is meant to ensure information is protected. It supports a person's right to privacy and control over their personal information. However, HIPAA is not meant to be a barrier to quality outcomes. It should not increase problems with an already fragmented system by preventing appropriate sharing of information. Remember that HIPAA provides a minimum national standard that must be followed. Some states and employers may have additional policies and regulations that must be followed. HIPAA is a law. It does not consider ethics around confidentiality. Ask your supervisor when you are unsure about rules you should follow..

[Audio] Respect for a person and their independence is crucial to your role as a direct support professional (DSP). This also means respecting any of the person's confidential information. In protecting the privacy of the individual you support, you develop a relationship based on respect and trust. It's important to know a person can be put at risk when private information is compromised. The person might experience discrimination. They may become the victim of identity theft. People might avoid professionals they don't trust to protect their information. As a result, they may miss out on needed treatments or services. People count on DSPs to be respectful and support their privacy and confidentiality while completing duties..

[Audio] HIPAA rules have been in place since 1996. A lot has changed since the law was first enacted. For example, many more people and organizations use computers for saving and sending health information than in 1996. Some changes needed to be made to reflect the changing times. In 2013, the HIPAA rules were updated. The Privacy Rule gives people more control over their health information. It sets standards for the use and disclosure of health information. The Security Rule is a series of safeguards for electronic health information. Organizations must use these safeguards to protect information. A breach is an unauthorized or accidental use of protected health information that compromises the security of health information. When a breach occurs, organizations are required to conduct a risk analysis and submit a report..

[Audio] Under HIPAA, you are responsible for protecting certain types of private information. Protected health information (PHI) is any health information that can be connected to a specific person. If you only state medical conditions or treatments without identifying a person, you are not sharing PHI. For example, you may say: "I work as a direct support professional supporting people with physical disabilities." However, the combination of this type of information with a way to identify a specific person is sharing PHI. For example: "I support Jerry over on Williston Road, due to his physical disability." The key is the combination of health information with information that makes it possible to identify someone. Direct Support Professionals and Identifiers: Identifiers are pieces of information that make it easier to identify who the information is about. Not all private information is protected health information (PHI) or an identifier. However, you may still be expected to keep it private for ethical or legal reasons. You should never release PHI without permission. You need to be careful of identifiers. Any time you use an identifier there is a possibility you are sharing PHI..

[Audio] HIPAA is a set of federal rules that protects people's health information. It also provides guidance to professionals on how to share information appropriately. It is important for direct support professionals to protect certain information under HIPAA. Names, addresses, phone numbers, and social security numbers are all examples of identifiers that become protected health information when combined with health information. HIPAA is a set of minimal standards. You may have other legal, ethical, or practice driven reasons not to share information about people you support.

[Audio] This lesson provides a brief overview of the HIPAA Privacy Rule and the HIPAA Security Rule. It will discuss how these rules impact the work of direct support professionals. This lesson will also provide you with important ways to protect the health information of the people you support. After completing this lesson, you will be able to: Describe how the HIPAA Privacy and Security Rules apply to direct support roles.

[Audio] The health-care industry has changed a lot since HIPAA was first passed in 1996. Even more professionals are using computers for storing and sending information. Therefore, in 2013 some changes were made to the HIPAA Privacy and Security Rules. These updates give people more control over their health information. They also guide professionals in how to safely handle protected health information..

[Audio] The Privacy Rule strikes a balance. It keeps a person's protected health information (PHI) safe and allows professionals to share information about that person's care. The Privacy Rule sets national standards for how information can be used between professionals, including direct support professionals (DSPs). It also allows people to understand and control how their PHI is shared..

[Audio] What can be shared? In general, you can share PHI with approval from the person. Employer policies may require a signed form in some cases. If the person is present and can answer, you are free to ask them what they prefer you to share. You can also share information as required by law and as appropriate to your expected duties. You are responsible for doing that in ways that ensure it is not shared with people accidentally or inappropriately. With whom? In general, you may share PHI with people and professionals who are involved in the person's support and care. This may be a family member, another DSP, dentist, or doctor. Your employer may require a signed release on file. For what purpose? PHI might be shared for a variety of reasons. You will share PHI with other people and professionals who provide treatment and care for the person. The person you support might allow you to share PHI when they are trying to secure new services. All purposes must be related to carry out your duties. Who can authorize sharing? As a DSP, under the Privacy Rule you are allowed to share PHI with other people or professionals directly involved in that person's care. If you are going to share PHI with others not directly related to the person's care, you must get the approval of the person or their legal representative in writing. Make sure all paperwork is complete and signed before sharing PHI. When it can be shared? A person has the right to limit the time frame of information sharing. For example, the person may say that PHI can be shared with potential employers for up to six months. In that situation, sharing PHI with potential employers after six months would be out of compliance with the law. If a person is with you and can consent and/or they are incapacitated and information is needed for their health or safety, you are permitted to share critical information with others who are helping (EMTs, doctors, etc.) without current signed consent..

[Audio] When you share protected health information (PHI), you should follow the Minimum Necessary Requirement under the Privacy Rule. This helps to minimize risk to the person you support and provides control over information. The requirement states that you should only share with other professionals the PHI necessary to accomplish a certain task or your job – nothing more..

[Audio] Since many organizations now share and store protected health information (PHI) in electronic formats, the Security Rule has also been updated. It includes specific requirements for protecting any PHI that is shared or stored electronically. Some examples of electronic PHI is information shared over the Internet or email, stored on a computer, or saved on a CD or drive. The Security Rule outlines administrative, physical, and technical safeguards that organizations must use to protect electronic PHI. As a direct support professional, you are responsible for protecting electronic PHI and need to understand these safeguards. Click on each tab to learn more. Administrative Safeguards: Administrative safeguards are policies and roles organizations need to put into place to protect electronic PHI. Examples include: Assigning someone to be a "privacy officer" at the organization Providing training to employees around privacy Developing written agreements with anyone who needs access to PHI Physical Safeguards: Physical safeguards protect the physical spaces in which electronic PHI are created, shared, or stored. Examples include: Controlling access to workstations and computers Securing email servers Designing backup and disaster recovery plans for electronic systems Technical Safeguards: Technical safeguards are ways of ensuring information is protected through technological means. Examples include: Controlling who has access to PHI Creating user IDs and passwords for staff to access PHI Encrypting data.

[Audio] Although most direct support professionals do their best to keep protected health information (PHI) safe, sometimes information is shared accidentally. For example: A person is speaking in public using a loud voice Information is left in public spaces such as the living room or kitchen Information is sent to the wrong email or mailing address File cabinets are left open and unlocked Information is put in the trash instead of being shredded A person loses a piece of information they were carrying, such as a medical insurance card Keep in mind that even if the sharing of PHI was accidental you need to take immediate steps for correcting breaches to security..

[Audio] The HIPAA Privacy Rule gives people more control over their health information and allows medical professionals to share information with each other to provide care. The HIPAA Security Rule protects people's electronic protected health information (PHI). The Minimum Necessary Requirement states that direct support professionals only provide the amount of information needed to get the job done. Locking PHI in cabinets, shredding it after use, and keeping your computer passwords safe are three of the many ways you can protect health information..

[Audio] This lesson will provide a brief overview of the HIPAA Breach Notification Rule and the HIPAA Enforcement Rule and discusses how these rules impact the work of direct support professionals. This lesson will also provide you with a final review of keeping protected health information safe. After completing this lesson, you will be able to: Define a breach under the HIPAA rules and state the steps you should take when you suspect a breach.

[Audio] HIPAA has been around since 1996. During this time, health care organizations have found better, more efficient ways of serving people. In 2013 the federal government made changes to some HIPAA rules to reflect the changing times. You should already have reviewed the changes that were made to the Privacy Rule and Security Rule. This lesson will discuss the updates that were made to the Breach Notification Rule and the Enforcement Rule. These rules establish standards and consequences for the unauthorized sharing of protected health information..

[Audio] Under the Breach Notification Rule, a breach is defined as unauthorized sharing of protected health information (PHI) that causes a risk to the safety and privacy of the PHI. Not all unauthorized sharing of PHI is considered a breach under the Breach Notification Rule. In order for it to be a breach, there needs to be a threat that a person's PHI has been or will be compromised. For example, when materials contain a person's Social Security Number or their address, sensitive information has been shared but not necessarily PHI. If it contains some notes the person took while at the doctor, but has no identifiers, no sensitive information has been shared. If it contains identifiers and health information, PHI has been disclosed. The whole risk of the breach is assessed as well. The larger amount of identifiable and sensitive information there is, the more likely it can be used to harm a person in some way. This makes the breach more problematic. Responses will be based on the overall risk to the person..

[Audio] Report the Situation You must contact the correct person regarding a potential problem with information. In each organization someone must be designated as a privacy officer. If you suspect PHI has been shared with an unauthorized person, and you don't know who is the privacy officer in your organization, contact your supervisor right away. No matter how small the incident, report it. Determine the Risk Your organization will need to conduct a risk assessment. All unauthorized sharing of PHI is considered a breach unless the organization can show there is a low risk to the safety and privacy of the PHI. The privacy officer and others will be involved. Is PHI Safe? In the risk assessment, your organization will determine whether a breach occurred as defined under the Breach Notification Rule. Your organization will consider things like who had access to the PHI, the types of identifiers shared, and whether or not the PHI was actually acquired or viewed. Report the Breach If your organization determines a breach occurred, it must report the breach to the government and to the affected individuals. Additionally, if the unauthorized sharing of PHI affects more than 500 individuals, organizations must share the breach with local media..

[Audio] The HIPAA Enforcement Rule provides serious consequences for people and organizations that violate HIPAA laws. Unauthorized sharing of protected health information (PHI) may result in monetary fines or jail time. Often these punishments are given to people who share someone's PHI on purpose for personal gain. As a direct support professional, you aim to keep the PHI of those you support safe. However, you should still take extra precautions to keep PHI private. Individuals and organizations can be fined even if they did not share PHI on purpose..

[Audio] The HIPAA Breach Notification Rule requires organizations to follow a specific process if they suspect a breach has occurred. A breach is when unauthorized sharing of protected health information (PHI) threatens the safety and privacy of the PHI. The HIPAA Enforcement Rule describes consequences for violating HIPAA rules. After completing this lesson, you are able to: Define a breach under the HIPAA rules and state the steps you should take when you suspect a breach.