TOOLKIT OUTLINE_08242017_test

Lesson Plan for

1 An Overview of HIPAA

Facilitator Lesson Guide: Introduction of the Protected Health Information Toolkit

1. Defining Learning
2. The Importance of education of the Privacy and Security Rules
3. The Purpose of the Toolkit
4. Identifying the target audience

SECTION LESSON PLANS & OBJECTIVES
Section 1.1: Introduction to HIPAA

1. HIPAA Background
2. Identify the characteristics of the Privacy Rule
3. Identify the characteristics of the Security Rule
4. Interpretation of the Breach Notification Rule

SECTION TEACHING FOCUS

In these two sections, the learner will be introduced to an overview and background of the Health Information and
Portability Accountability Act (HIPAA).
Discuss with the learners the importance of the Privacy Rule and Security Rule and how these laws mandates the
safeguard of Protected Health Information.
Finally, the learner will learn of HIPAA’s Breach Notification Rule and enforcement of the Privacy and Security Rules.

SECTION PRETEST ICE BREAKER

1. What kind of protected identifiable health information (PHI) is protected by HIPAA privacy rule?
a. Paper
b. Electronic
c. The spoken word
d. All of the above
e. None of the above

2. You are working elsewhere in the hospital when you hear that a neighbor has just arrived in the ER for
treatment after a car crash. You should.
a. Contact the neighbor’s spouse to alert him or her about the accident
b. Do nothing and pretend you don’t know about it
c. Tell the charge nurse in the ER that you know how to reach the patient’s spouse and offer the
information if it’s needed

SECTION PRETEST ANSWERS

1

LESSON 1.1

Facilitator Objectives Covered

1. Interpret rules of Health Insurance Portability and Accountability Act (HIPAA).

National Standards Covered

Content
 Ethical decisions, medical jurisprudence, and confidentiality
Competencies
 Perform within legal and ethical boundaries

Lesson Preparation Checklist

 Prepare lecture from PHI Presentation Slides.
 Assemble materials and supplies needed for each lesson as indicated below.
 Learner performance evaluation of their knowledge of Protected Health Information

required for Learner’s comprehension and application Privacy and Security Rules,

including:

o Safeguarding Protected Health Information

Materials and Supplies

 Projector  Computer/Laptop
 3x5 PHI Cards  PowerPoint Handouts (optional)

Key Terms

 Business Associates  Civil Penalties
 Business Associates Agreement  Due Diligence
 Electronic Data Exchange (EDI)  Reasonable Cause
 Electronic Medical Records (EMR)  Willful Neglect
 Electronic Protected Health Information (EPHI)  Criminal Penalties
 Health Information  Individually Identifiable
 HIPAA
 HITECH Health Information
 HIPAA Audit  OCR HIPAA Audit Protocol
 Privacy Rule
HIPAA Violations  Protected Health

Information

Security Rule

-Minute Facilitation Outline 15 minutes
Slide 1
1  Objectives: At the end of this education session the attendee will be able

to………………….
1. Define PHI and identify examples of PHI
2. Apply appropriate safeguards to protect a patient’s PHI
3. Understand how privacy violations can happen

2

Slide 2LESSON 1.1

Slide 3 Privacy Rule

Slide 4 1. Privacy Rule went into effect April 14, 2003
2. Privacy refers to protection of an individual’s health care information of all modes of

communication, such as:
 Verbal or oral
 Written
 Electronic

3. Defines how to appropriately utilize patient information and disclosure of patient information
4. Outlines ways to safeguard PHI

TALKING POINTS:
 The Privacy Rules requires everyone to safeguard and protect the privacy of our patient’s health

information. There are limits and conditions on when and how to disclose PHI without a patient’s
direct authorization.

Security Rule

Security is controlling:
1. Confidentiality of electronic protected health information
2. Storage of electronic protected health information
3. Access to electronic information

TALKING POINTS:
1. Jefferson is a covered entity and required to develop and implement policies and
procedures to protect the security of ePHI we create, receive, maintain, or transmit.
2. Ensure the confidentiality, integrity, and available of all ePHI they create, receive,
maintain, or transmit
3. Identify and protect against reasonably anticipated threats to the security or integrity of the
ePHI
4. Protect against reasonably anticipated, impermissible uses or disclosures
5. Ensure Jefferson’s workforce is in compliance

The Importance of Privacy and Security Education

 All patient’s information is confidential
 Anytime YOU come in contact with any PHI that is written, spoken, or electronically stored

YOU become involved with a component of privacy and security regulations.
 The law requires it!
 To ensure your understanding of the Privacy and Security Rules as they relate to your job

TALKING POINTS:
1. A major goal of the Privacy Rule is to assure that individual’s health information is properly
protected while allowing the flow of health information needed to provide and promote high
quality health care and to protect the public’s health and well being
2. Covered entities such as

3

LESSON 1.1

Slide 5 HIPAA Breach Notification Rule

 To do the “Right Thing” every time requires awareness and an understanding of security and

privacy information. Education increases Jefferson associate’s awareness and understanding of:

Safeguarding:
 Confidentiality of PHI
 How to secure PHI appropriately and consequently mitigate the risk of having one

of the patient’s PHI mishandled; inappropriately used
 How to limit accessed by unauthorized persons
 Minimizing the risk being noncompliance of laws and regulations

TALKING POINTS:
 The HIPAA Breach Notification Rule requires Jefferson to notify affected individuals, HHS, and in

some cases, the media of a breach of unsecured PHI.

 Most notifications must be provided without unreasonable delay and no later than 60 days

following the discovery of a breach.
 Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to

HHS annually.

 The Breach Notification Rule also requires business associates of Jefferson to notify

Jefferson of breaches at or by the business associate.

Activities Online
ClassroomChoose from below to make 20 minutes

1 ROLE-PLAY
 Divide the class into groups. Ask each group to
think of three situations in which a privacy

violation arise. The groups should then role-play
these situations for the group to demonstrate
possible responses.

3 DISCUSS
 Discuss the parts of the Administrative
Simplification portion of HIPAA and how it
pertains to privacy and confidentiality. This
includes electronic transactions such as non-

secure emails, discussions in the halls, and other
means that confidentiality may be broken.

4 REVIEW RESEARCH
 Divide the Learners into groups and have them  Facilitator may access HHS.gov , Health

complete Exercise 1-2 and then go over the Information Privacy

answers with the class. https://www.hhs.gov/hipaa/for-
professionals/privacy/laws-
regulations/index.html

Critical Thinking Question
Confidentiality and privacy are important concepts in healthcare because………………..?

Discussion Guidelines: Covered entities and specified individuals, as explained below, who knowingly
obtain or disclose individually identifiable health information, in violation of the Administrative Simplification
regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.

Offenses committed under false pretenses allow penalties to be increased to a $1000,000 fine, with up to 5
years in prison.

Facilitator Notes/Learner Feedback

4

LESSON 1.1

5

LESSON 2
Protected Health Information (PHI)

Facilitator Objectives Covered

1. Define PHI
2. Identify PHI Identifiers

National Standards Covered

Content
1. Ethical decisions, medical jurisprudence, and confidentiality

Competencies
1. Perform within legal and ethical boundaries

Lesson Preparation Checklist

 Prepare lecture from PHI Presentation Slides.
 Assemble materials and supplies needed for each lesson as indicated below.
 Learner performance evaluation of their knowledge of Protected Health Information

required for Learner’s comprehension and application Privacy and Security Rules,

including:

o Safeguarding Protected Health Information

Materials and Supplies

 Projector  Computer/Laptop
 3x5 PHI Cards  PowerPoint Handouts (optional)

Key Terms

 Business Associates  Civil Penalties
 Business Associates Agreement  Due Diligence
 Electronic Data Exchange (EDI)  Reasonable Cause
 Electronic Medical Records (EMR)  Willful Neglect
 Electronic Protected Health Information (EPHI)  Criminal Penalties
 Health Information  Individually Identifiable Health
 HIPAA
 HITECH Information
 HIPAA Audit  OCR HIPAA Audit Protocol
 Privacy Rule
HIPAA Violations  Protected Health Information

Security Rule

6

-Minute Lesson PlanLESSON 2 15 minutes
Protected Health Information (PHI)
Slide 6
Facilitation Outline

1  Objectives: At the end of this education session the attendee will be able

to………………….
1. Define PHI and identify examples of PHI
2. Apply appropriate safeguards to protect a patient’s PHI
3. Understand how privacy violations can happen

Slide 7 What is PHI

Slide 8 1. PHI is individually identifiable health information that is:
2. Created or received by a health care provider, employer, or health care clearinghouse

 Relates to the Past, Present or Future:
1. Physical or mental health or condition of an individual
2. Relates to the provision of health care to an individual
3. Payment for the provision of health care to an individual

TALKING POINTS:
The Privacy Rule establishes standards for the protection of PHI held by:

 Health plans
 Health care clearinghouse
 Those health care providers that conduct certain health care transaction electronically
 Business Associates

PHI Includes

 Information in the health record, such as:

1. Encounter/visit documentation

2. Lab results

3. Appointment dates/times

4. Radiology films and reports

5. History and physicals

6. Patient identifiers

TALKING POINTS:


Slide 9 Patient Identifiers

There are eighteen patient identifiers:
 Names
 Medical Record Numbers
 Social Security Numbers
 Account Numbers
 License/Certification Numbers
 Vehicle Identifiers/Serial numbers/License plate numbers
 Internet protocol addresses
 Health plan numbers
 Photos
 Web URLs
 Dates related to any individual (date of birth), and/or Date of Service
 Telephone numbers
 Fax numbers
 Email address
 Biometric identifiers including finger and voice prints
 Any other unique identifying number, characteristic or code

TALKING POINTS:
 Protected health information is any information in the medical record or designated record set

that can be used to identify an individual and that was created, used, or disclosed in the

course of providing a health care service such as diagnosis or treatment.

7

Slide 10LESSON 2
Protected Health Information (PHI)
Slide 11
Why do we need to protect PHI?

 It’s the law
 To build trust between providers and patients
 To protect our reputation
 To avoid potential withholding of federal Medicaid and Medicare funds
TALKING POINTS:
 Jefferson’s commitment to protecting patient’s privacy:
 As an employee, you are obligated to comply with privacy and security policies and procedures
 Jefferson patient’s and their family members are placing their trust in us to safeguard the

privacy of their personal information
 Most importantly privacy is not an OPTION it is REQUIRED
 Employees who decide not to comply with HIPAA guidelines or Jefferson’s Code of Conduct,

risks personal and professional penalties and sanctions

 Violating our patient’s privacy consequently places Jefferson at risk, including financial and

reputational harm

Who or What Protects PHI?
 Federal Government protects PHI through HIPAA regulations

 Civil penalties up to $1,500,000/ year for identical types of violations
o Willful neglect violations are mandatory!

 Criminal Penalties:
o $50,000 fine and 1 year prison for knowingly obtaining and wrongfully sharing
information
o $100,000 fine and 5 years prison for obtaining and disclosing through false pretense
o $250,000 fine and 10 years prison for obtaining and disclosing for commercial
advantage, personal gain, or malicious harm

 Jefferson, through the Notice of Privacy Practices (NPP)
 YOU, by following Jefferson’s policies and procedures
TALKING POINTS

 Civil fines of $100 per violations up to $25,000 for multiple violations of the standard in any
given calendar year may be imposed, but there are many instances in which the civil fines
can be lifted or reduced:
o If an offense is otherwise punishable (that is, criminally sanctionable) under HIPAA, a
civil penalty may not be imposed additionally.
o A civil penalty may not be imposed if I is established to the satisfaction on HHS that
persons liable for the penalty did not know, and by exercising reasonable diligence
would not have known that they violated the provision.
o A civil penalty may not be imposed if the failure to comply was due to reasonable
cause, not willful neglect, and the failure is corrected during the 30-day period
beginning on the first date that the failure to comply occurred. The 30-day period may
be extended on the request for a period of time determined by considering the nature
of the non-compliance and at the discretion of HHS.
o In the case of a failure to comply owning to reasonable cause and not to willful neglect,
any penalty that is not entirely waived may be waived to the extent that the payment of
such penalty would be excessive relative to the compliance failure involved.

 Criminal Penalties
o There are no exceptions explicitly set out in the HIPAA stature for mitigation or waiver
of the criminal penalty provisions.

8

Slide 12LESSON 2
Protected Health Information (PHI)
Slide 13
What is Minimum Necessary
Slide 14  To use, disclose, or release only the amount of information “minimum necessary” to accomplish

Slide 15 the intended purposes of the use, disclosure, or request.
 Requests from employees at Jefferson:

o Identify each co-worker who needs to access the patient’s PHI
o Limit the PHI provided to a “need-to-know basis” basis
 Requests from individuals not employed at Jefferson:
o Limit the PHI provided to what is needed to accomplish the purpose for which the

request was made
o Ensure that the requestor has the appropriate security and rights to receive the

requested information
TALKING POINTS

 The Privacy Rule requires strict adherence to its requirements. Therefore, a covered entity
may not use or disclose PHI, except as permitted or required by Privacy Rule regulations

 The Privacy Rule requires that, even when permitted to disclose PHI, you will utilize every
reasonable effort to limit disclosure.

 A patient can inspect, copy or amend their PHI, where specific criteria are satisfied, and it
also grants a patient the right to an accounting of unauthorized uses and disclosures of their
protected health information.

Release of Information (ROI)
• When releasing PHI, it is important to know when a patient’s authorization is required. Patient’s

authorizations are governed by state and federal law
TALKING POINTS

 There is not standard, uniform state privacy law in use by all 50 states and the territories.
State laws also vary in focus as well as degree of strictness or protectiveness of patient’s
privacy. Some states requires additional patient authorization be obtained prior to release,
some states do not.

ROI Applying the Steps
• Is the individual’s authorization required before Jefferson can release PHI?

• Under certain circumstances, the individual’s authorization is not required
• An authorization is required for disclosures of PHI not otherwise permitted by the privacy

Rule or more stringent law
• If so, has the authorization been filled out completely and correctly?
TALKING POINTS

 The Privacy Rule allows the patient to restrict the use and disclosure of their PHI for which a
covered entity may otherwise possess the right to use or disclose. Jefferson or any covered
entity does not have to agree to the restriction. However, if Jefferson or covered entity
agrees, then Jefferson must document compliance with the restriction.

 Due to the variations in law requires covered entity such as Jefferson to develop, implement,
and maintain thorough policies, processes, and procedures around ROI. You may contact the
Jefferson Compliance Administration or Alertline if you are not sure what to do.

ROI
• Evaluating Authorizations

• Should the access be denied? Has the access been denied?
• Is Jefferson providing only the information specified in the authorization?
• Is the authorization combined with another type of document to create an inappropriate

compound authorization?
• In what form/format should the information be provided?
• How much time does Jefferson have to respond to the request?
• Ask Compliance if you are uncertain about what steps to take.

9

Slide 16LESSON 2

Slide 17Protected Health Information (PHI)

Slide 18 ROI cont.
 An authorization Mishap

• The patient’s Authorization to Release Information stated only the records from January
1, 1995- January 5, 1996 should be sent to her attorney. The ROI staff member did not
notice the limitation and sent the documentation of a car accident in February 2, 1997.
The patient lost her court case and was fined $50,000

TALKING POINTS
WHAT ARE JEFFERSON’S TRACKING AND MONITORING SPECIFICS?

Safeguarding Tips DO’s
 Secure information from improper disclosure

o Share PHI to those who need to know (direct care workers, staff) discreetly
 Ensure the disclosure of information reaches the intended person

o Validate the correct fax number prior to faxing PHI
o Verification of identity prior to releasing information without the patient present
o Request verbal authorization from patient to discuss their health, conditions with those

that are present
 Secure workstations by logging off or locking your computer (Ctrl+Alt+Delete)
 Protect the integrity of the data

o Secure e-mail
TALKING POINTS

 Jefferson’s PHI safeguards consists of five categories:
o Physical: all Jefferson’s facilities and buildings where patient data/information is
accessed, computer equipment and portable devices
o Administrative: Jefferson provides training, job aids, and oversight to its workforce;
Jefferson controls employee and patient’s information access to ensure only the
minimum necessary information is accessible
o Technical: Epic access appropriate to the scope of an employee’s role within
Jefferson; include audit logs to monitor an end user’s activities; implement measures
that eliminates patient data from improper changes; and secure authorized
electronic exchanges of patient information
o Policies & Procedures: Jefferson has written policies and procedures to ensure
HIPAA security compliance; documentation security measures; written protocols on
authorizing uses, and record retention
o Organizational: Jefferson may outsource services to business associates.
Business Agreements identify and manage vendor’s access, create or store PHI.
Jefferson also perform reviews and updates agreements as deem necessary.

Safeguarding Tips DON’Ts
 Family, Friends, You and PHI

o Do not share with family, friends, or anyone else a patient’s name or any information that
may identify him/her, such as:
 It would not be a good idea to tell your friend that a patient came in to be seen
after a severe car accident. The friend may know the patient

 Do not inform anyone that you know a famous person, or their family members, were seen at
Jefferson

Slide 19

Activities

10

LESSON 2 Online
Protected Health Information (PHI)

ClassroomChoose from below to make 20 minutes

1 ROLE-PLAY
 Divide the class into groups. Ask each group to think of three

situations in which a privacy violation arise. The groups should

then role-play these situations for the group to demonstrate

possible responses.

3 DISCUSS
 Discuss the parts of the Administrative Simplification portion of
HIPAA and how it pertains to privacy and confidentiality. This
includes electronic transactions such as non-secure emails,

discussions in the halls, and other means that confidentiality
may be broken.

4 REVIEW RESEARCH
 Divide the Learners into groups and have them complete  Facilitator may access HHS.gov ,

Exercise 1-2 and then go over the answers with the class. Health Information Privacy

https://www.hhs.gov/hipaa/for-
professionals/privacy/laws-
regulations/index.html

Critical Thinking Question
Confidentiality and privacy are important concepts in healthcare because………………..?

Discussion Guidelines: Covered entities and specified individuals, as explained below, who knowingly
obtain or disclose individually identifiable health information, in violation of the Administrative Simplification
regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.

Offenses committed under false pretenses allow penalties to be increased to a $1000, 000 fine, with up to 5
years in prison.

11