Lesson Plan for
1 An Overview of HIPAA
Facilitator Lesson Guide: Introduction of the Protected Health Information Toolkit
1. Defining Learning
2. The Importance of education of the Privacy and Security Rules
3. The Purpose of the Toolkit
4. Identifying the target audience
SECTION LESSON PLANS & OBJECTIVES
Section 1.1: Introduction to HIPAA
1. HIPAA Background
2. Identify the characteristics of the Privacy Rule
3. Identify the characteristics of the Security Rule
4. Interpretation of the Breach Notification Rule
SECTION TEACHING FOCUS
In these two sections, the learner will be introduced to an overview and background of the Health Information and
Portability Accountability Act (HIPAA).
Discuss with the learners the importance of the Privacy Rule and Security Rule and how these laws mandates the
safeguard of Protected Health Information.
Finally, the learner will learn of HIPAA’s Breach Notification Rule and enforcement of the Privacy and Security Rules.
SECTION PRETEST ICE BREAKER
1. What kind of protected identifiable health information (PHI) is protected by HIPAA privacy rule?
a. Paper
b. Electronic
c. The spoken word
d. All of the above
e. None of the above
2. You are working elsewhere in the hospital when you hear that a neighbor has just arrived in the ER for
treatment after a car crash. You should.
a. Contact the neighbor’s spouse to alert him or her about the accident
b. Do nothing and pretend you don’t know about it
c. Tell the charge nurse in the ER that you know how to reach the patient’s spouse and offer the
information if it’s needed
SECTION PRETEST ANSWERS
1
LESSON 1.1
Facilitator Objectives Covered
1. Interpret rules of Health Insurance Portability and Accountability Act (HIPAA).
National Standards Covered
Content
Ethical decisions, medical jurisprudence, and confidentiality
Competencies
Perform within legal and ethical boundaries
Lesson Preparation Checklist
Prepare lecture from PHI Presentation Slides.
Assemble materials and supplies needed for each lesson as indicated below.
Learner performance evaluation of their knowledge of Protected Health Information
required for Learner’s comprehension and application Privacy and Security Rules,
including:
o Safeguarding Protected Health Information
Materials and Supplies
Projector Computer/Laptop
3x5 PHI Cards PowerPoint Handouts (optional)
Key Terms
Business Associates Civil Penalties
Business Associates Agreement Due Diligence
Electronic Data Exchange (EDI) Reasonable Cause
Electronic Medical Records (EMR) Willful Neglect
Electronic Protected Health Information (EPHI) Criminal Penalties
Health Information Individually Identifiable
HIPAA
HITECH Health Information
HIPAA Audit OCR HIPAA Audit Protocol
Privacy Rule
HIPAA Violations Protected Health
Information
Security Rule
-Minute Facilitation Outline 15 minutes
Slide 1
1 Objectives: At the end of this education session the attendee will be able
to………………….
1. Define PHI and identify examples of PHI
2. Apply appropriate safeguards to protect a patient’s PHI
3. Understand how privacy violations can happen
2
Slide 2LESSON 1.1
Slide 3 Privacy Rule
Slide 4 1. Privacy Rule went into effect April 14, 2003
2. Privacy refers to protection of an individual’s health care information of all modes of
communication, such as:
Verbal or oral
Written
Electronic
3. Defines how to appropriately utilize patient information and disclosure of patient information
4. Outlines ways to safeguard PHI
TALKING POINTS:
The Privacy Rules requires everyone to safeguard and protect the privacy of our patient’s health
information. There are limits and conditions on when and how to disclose PHI without a patient’s
direct authorization.
Security Rule
Security is controlling:
1. Confidentiality of electronic protected health information
2. Storage of electronic protected health information
3. Access to electronic information
TALKING POINTS:
1. Jefferson is a covered entity and required to develop and implement policies and
procedures to protect the security of ePHI we create, receive, maintain, or transmit.
2. Ensure the confidentiality, integrity, and available of all ePHI they create, receive,
maintain, or transmit
3. Identify and protect against reasonably anticipated threats to the security or integrity of the
ePHI
4. Protect against reasonably anticipated, impermissible uses or disclosures
5. Ensure Jefferson’s workforce is in compliance
The Importance of Privacy and Security Education
All patient’s information is confidential
Anytime YOU come in contact with any PHI that is written, spoken, or electronically stored
YOU become involved with a component of privacy and security regulations.
The law requires it!
To ensure your understanding of the Privacy and Security Rules as they relate to your job
TALKING POINTS:
1. A major goal of the Privacy Rule is to assure that individual’s health information is properly
protected while allowing the flow of health information needed to provide and promote high
quality health care and to protect the public’s health and well being
2. Covered entities such as
3
LESSON 1.1
Slide 5 HIPAA Breach Notification Rule
To do the “Right Thing” every time requires awareness and an understanding of security and
privacy information. Education increases Jefferson associate’s awareness and understanding of:
Safeguarding:
Confidentiality of PHI
How to secure PHI appropriately and consequently mitigate the risk of having one
of the patient’s PHI mishandled; inappropriately used
How to limit accessed by unauthorized persons
Minimizing the risk being noncompliance of laws and regulations
TALKING POINTS:
The HIPAA Breach Notification Rule requires Jefferson to notify affected individuals, HHS, and in
some cases, the media of a breach of unsecured PHI.
Most notifications must be provided without unreasonable delay and no later than 60 days
following the discovery of a breach.
Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to
HHS annually.
The Breach Notification Rule also requires business associates of Jefferson to notify
Jefferson of breaches at or by the business associate.
Activities Online
ClassroomChoose from below to make 20 minutes
1 ROLE-PLAY
Divide the class into groups. Ask each group to
think of three situations in which a privacy
violation arise. The groups should then role-play
these situations for the group to demonstrate
possible responses.
3 DISCUSS
Discuss the parts of the Administrative
Simplification portion of HIPAA and how it
pertains to privacy and confidentiality. This
includes electronic transactions such as non-
secure emails, discussions in the halls, and other
means that confidentiality may be broken.
4 REVIEW RESEARCH
Divide the Learners into groups and have them Facilitator may access HHS.gov , Health
complete Exercise 1-2 and then go over the Information Privacy
answers with the class. https://www.hhs.gov/hipaa/for-
professionals/privacy/laws-
regulations/index.html
Critical Thinking Question
Confidentiality and privacy are important concepts in healthcare because………………..?
Discussion Guidelines: Covered entities and specified individuals, as explained below, who knowingly
obtain or disclose individually identifiable health information, in violation of the Administrative Simplification
regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.
Offenses committed under false pretenses allow penalties to be increased to a $1000,000 fine, with up to 5
years in prison.
Facilitator Notes/Learner Feedback
4
LESSON 1.1
5
LESSON 2
Protected Health Information (PHI)
Facilitator Objectives Covered
1. Define PHI
2. Identify PHI Identifiers
National Standards Covered
Content
1. Ethical decisions, medical jurisprudence, and confidentiality
Competencies
1. Perform within legal and ethical boundaries
Lesson Preparation Checklist
Prepare lecture from PHI Presentation Slides.
Assemble materials and supplies needed for each lesson as indicated below.
Learner performance evaluation of their knowledge of Protected Health Information
required for Learner’s comprehension and application Privacy and Security Rules,
including:
o Safeguarding Protected Health Information
Materials and Supplies
Projector Computer/Laptop
3x5 PHI Cards PowerPoint Handouts (optional)
Key Terms
Business Associates Civil Penalties
Business Associates Agreement Due Diligence
Electronic Data Exchange (EDI) Reasonable Cause
Electronic Medical Records (EMR) Willful Neglect
Electronic Protected Health Information (EPHI) Criminal Penalties
Health Information Individually Identifiable Health
HIPAA
HITECH Information
HIPAA Audit OCR HIPAA Audit Protocol
Privacy Rule
HIPAA Violations Protected Health Information
Security Rule
6
-Minute Lesson PlanLESSON 2 15 minutes
Protected Health Information (PHI)
Slide 6
Facilitation Outline
1 Objectives: At the end of this education session the attendee will be able
to………………….
1. Define PHI and identify examples of PHI
2. Apply appropriate safeguards to protect a patient’s PHI
3. Understand how privacy violations can happen
Slide 7 What is PHI
Slide 8 1. PHI is individually identifiable health information that is:
2. Created or received by a health care provider, employer, or health care clearinghouse
Relates to the Past, Present or Future:
1. Physical or mental health or condition of an individual
2. Relates to the provision of health care to an individual
3. Payment for the provision of health care to an individual
TALKING POINTS:
The Privacy Rule establishes standards for the protection of PHI held by:
Health plans
Health care clearinghouse
Those health care providers that conduct certain health care transaction electronically
Business Associates
PHI Includes
Information in the health record, such as:
1. Encounter/visit documentation
2. Lab results
3. Appointment dates/times
4. Radiology films and reports
5. History and physicals
6. Patient identifiers
TALKING POINTS:
Slide 9 Patient Identifiers
There are eighteen patient identifiers:
Names
Medical Record Numbers
Social Security Numbers
Account Numbers
License/Certification Numbers
Vehicle Identifiers/Serial numbers/License plate numbers
Internet protocol addresses
Health plan numbers
Photos
Web URLs
Dates related to any individual (date of birth), and/or Date of Service
Telephone numbers
Fax numbers
Email address
Biometric identifiers including finger and voice prints
Any other unique identifying number, characteristic or code
TALKING POINTS:
Protected health information is any information in the medical record or designated record set
that can be used to identify an individual and that was created, used, or disclosed in the
course of providing a health care service such as diagnosis or treatment.
7
Slide 10LESSON 2
Protected Health Information (PHI)
Slide 11
Why do we need to protect PHI?
It’s the law
To build trust between providers and patients
To protect our reputation
To avoid potential withholding of federal Medicaid and Medicare funds
TALKING POINTS:
Jefferson’s commitment to protecting patient’s privacy:
As an employee, you are obligated to comply with privacy and security policies and procedures
Jefferson patient’s and their family members are placing their trust in us to safeguard the
privacy of their personal information
Most importantly privacy is not an OPTION it is REQUIRED
Employees who decide not to comply with HIPAA guidelines or Jefferson’s Code of Conduct,
risks personal and professional penalties and sanctions
Violating our patient’s privacy consequently places Jefferson at risk, including financial and
reputational harm
Who or What Protects PHI?
Federal Government protects PHI through HIPAA regulations
Civil penalties up to $1,500,000/ year for identical types of violations
o Willful neglect violations are mandatory!
Criminal Penalties:
o $50,000 fine and 1 year prison for knowingly obtaining and wrongfully sharing
information
o $100,000 fine and 5 years prison for obtaining and disclosing through false pretense
o $250,000 fine and 10 years prison for obtaining and disclosing for commercial
advantage, personal gain, or malicious harm
Jefferson, through the Notice of Privacy Practices (NPP)
YOU, by following Jefferson’s policies and procedures
TALKING POINTS
Civil fines of $100 per violations up to $25,000 for multiple violations of the standard in any
given calendar year may be imposed, but there are many instances in which the civil fines
can be lifted or reduced:
o If an offense is otherwise punishable (that is, criminally sanctionable) under HIPAA, a
civil penalty may not be imposed additionally.
o A civil penalty may not be imposed if I is established to the satisfaction on HHS that
persons liable for the penalty did not know, and by exercising reasonable diligence
would not have known that they violated the provision.
o A civil penalty may not be imposed if the failure to comply was due to reasonable
cause, not willful neglect, and the failure is corrected during the 30-day period
beginning on the first date that the failure to comply occurred. The 30-day period may
be extended on the request for a period of time determined by considering the nature
of the non-compliance and at the discretion of HHS.
o In the case of a failure to comply owning to reasonable cause and not to willful neglect,
any penalty that is not entirely waived may be waived to the extent that the payment of
such penalty would be excessive relative to the compliance failure involved.
Criminal Penalties
o There are no exceptions explicitly set out in the HIPAA stature for mitigation or waiver
of the criminal penalty provisions.
8
Slide 12LESSON 2
Protected Health Information (PHI)
Slide 13
What is Minimum Necessary
Slide 14 To use, disclose, or release only the amount of information “minimum necessary” to accomplish
Slide 15 the intended purposes of the use, disclosure, or request.
Requests from employees at Jefferson:
o Identify each co-worker who needs to access the patient’s PHI
o Limit the PHI provided to a “need-to-know basis” basis
Requests from individuals not employed at Jefferson:
o Limit the PHI provided to what is needed to accomplish the purpose for which the
request was made
o Ensure that the requestor has the appropriate security and rights to receive the
requested information
TALKING POINTS
The Privacy Rule requires strict adherence to its requirements. Therefore, a covered entity
may not use or disclose PHI, except as permitted or required by Privacy Rule regulations
The Privacy Rule requires that, even when permitted to disclose PHI, you will utilize every
reasonable effort to limit disclosure.
A patient can inspect, copy or amend their PHI, where specific criteria are satisfied, and it
also grants a patient the right to an accounting of unauthorized uses and disclosures of their
protected health information.
Release of Information (ROI)
• When releasing PHI, it is important to know when a patient’s authorization is required. Patient’s
authorizations are governed by state and federal law
TALKING POINTS
There is not standard, uniform state privacy law in use by all 50 states and the territories.
State laws also vary in focus as well as degree of strictness or protectiveness of patient’s
privacy. Some states requires additional patient authorization be obtained prior to release,
some states do not.
ROI Applying the Steps
• Is the individual’s authorization required before Jefferson can release PHI?
• Under certain circumstances, the individual’s authorization is not required
• An authorization is required for disclosures of PHI not otherwise permitted by the privacy
Rule or more stringent law
• If so, has the authorization been filled out completely and correctly?
TALKING POINTS
The Privacy Rule allows the patient to restrict the use and disclosure of their PHI for which a
covered entity may otherwise possess the right to use or disclose. Jefferson or any covered
entity does not have to agree to the restriction. However, if Jefferson or covered entity
agrees, then Jefferson must document compliance with the restriction.
Due to the variations in law requires covered entity such as Jefferson to develop, implement,
and maintain thorough policies, processes, and procedures around ROI. You may contact the
Jefferson Compliance Administration or Alertline if you are not sure what to do.
ROI
• Evaluating Authorizations
• Should the access be denied? Has the access been denied?
• Is Jefferson providing only the information specified in the authorization?
• Is the authorization combined with another type of document to create an inappropriate
compound authorization?
• In what form/format should the information be provided?
• How much time does Jefferson have to respond to the request?
• Ask Compliance if you are uncertain about what steps to take.
9
Slide 16LESSON 2
Slide 17Protected Health Information (PHI)
Slide 18 ROI cont.
An authorization Mishap
• The patient’s Authorization to Release Information stated only the records from January
1, 1995- January 5, 1996 should be sent to her attorney. The ROI staff member did not
notice the limitation and sent the documentation of a car accident in February 2, 1997.
The patient lost her court case and was fined $50,000
TALKING POINTS
WHAT ARE JEFFERSON’S TRACKING AND MONITORING SPECIFICS?
Safeguarding Tips DO’s
Secure information from improper disclosure
o Share PHI to those who need to know (direct care workers, staff) discreetly
Ensure the disclosure of information reaches the intended person
o Validate the correct fax number prior to faxing PHI
o Verification of identity prior to releasing information without the patient present
o Request verbal authorization from patient to discuss their health, conditions with those
that are present
Secure workstations by logging off or locking your computer (Ctrl+Alt+Delete)
Protect the integrity of the data
o Secure e-mail
TALKING POINTS
Jefferson’s PHI safeguards consists of five categories:
o Physical: all Jefferson’s facilities and buildings where patient data/information is
accessed, computer equipment and portable devices
o Administrative: Jefferson provides training, job aids, and oversight to its workforce;
Jefferson controls employee and patient’s information access to ensure only the
minimum necessary information is accessible
o Technical: Epic access appropriate to the scope of an employee’s role within
Jefferson; include audit logs to monitor an end user’s activities; implement measures
that eliminates patient data from improper changes; and secure authorized
electronic exchanges of patient information
o Policies & Procedures: Jefferson has written policies and procedures to ensure
HIPAA security compliance; documentation security measures; written protocols on
authorizing uses, and record retention
o Organizational: Jefferson may outsource services to business associates.
Business Agreements identify and manage vendor’s access, create or store PHI.
Jefferson also perform reviews and updates agreements as deem necessary.
Safeguarding Tips DON’Ts
Family, Friends, You and PHI
o Do not share with family, friends, or anyone else a patient’s name or any information that
may identify him/her, such as:
It would not be a good idea to tell your friend that a patient came in to be seen
after a severe car accident. The friend may know the patient
Do not inform anyone that you know a famous person, or their family members, were seen at
Jefferson
Slide 19
Activities
10
LESSON 2 Online
Protected Health Information (PHI)
ClassroomChoose from below to make 20 minutes
1 ROLE-PLAY
Divide the class into groups. Ask each group to think of three
situations in which a privacy violation arise. The groups should
then role-play these situations for the group to demonstrate
possible responses.
3 DISCUSS
Discuss the parts of the Administrative Simplification portion of
HIPAA and how it pertains to privacy and confidentiality. This
includes electronic transactions such as non-secure emails,
discussions in the halls, and other means that confidentiality
may be broken.
4 REVIEW RESEARCH
Divide the Learners into groups and have them complete Facilitator may access HHS.gov ,
Exercise 1-2 and then go over the answers with the class. Health Information Privacy
https://www.hhs.gov/hipaa/for-
professionals/privacy/laws-
regulations/index.html
Critical Thinking Question
Confidentiality and privacy are important concepts in healthcare because………………..?
Discussion Guidelines: Covered entities and specified individuals, as explained below, who knowingly
obtain or disclose individually identifiable health information, in violation of the Administrative Simplification
regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.
Offenses committed under false pretenses allow penalties to be increased to a $1000, 000 fine, with up to 5
years in prison.
11