HIPAA SecurityTraining

Deadline April 21, 2005

Start

HIPAA Security Training Agenda

Lesson 1. HIPPA Security Ruling

Lesson 2. Information Security Officer

Lesson 3. On Site Security Liaison

Lesson 4. Electronic Protected Health Information (ePHI)

Lesson 4. Accessing ePHI

Lesson 5. Password Maintenance

Lesson 7. Computer Audits

Lesson 8. Safeguards- Physical and Technical

Lesson 9. Disposing of ePHI

Lesson 10. Reporting Security risks

Lesson 11. My responsibility for Securing ePHI

Next

Lesson 1. HIPAA Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) security rule applies to all individually identifiable health information that is in electronic form whether it is being stored or transmitted. Security HIPAA rule deadline is April 21, 2005– Security applies to the physical, technical and

administrative safeguards that are put in place to protect the integrity, availability and confidentiality of information

Next

Lesson 2. Security Officer The Purpose of the HIPAA Information Security

Officer is to protect the confidentiality, integrity, and availability of information systems and Electronic Protected Health Information (ePHI).– The HIPAA Information Security Officer is responsible

for the development and implementation of all policies and procedures necessary to protect our information systems and ePHI

– The OPRS Information Security Officer is Joyce Miller Evans, Vice president and Chief Information Officer at Corporate.

Next

Lesson 3. On-site HIPAA Liaison The Purpose of the On-site HIPAA Security

Liaison is to provide each facility with a contact for asking questions or reporting issues. The liaisons will work closely with the Information Security Officer to protect the confidentiality, integrity, and availability of information systems and Electronic Protected Health Information (ePHI).– Example

• The On-site contact for Breckenridge Village is Elaine Kuhl.

Next

Lesson 4. Electronic Patient Health Information Forms of ePHI at OPRS is

– Resident Information in the following systems:• AIM – CCRC Resident Billing System• Misys – Home Care Clinical Documentation & Billing System• Reps – Marketing Database• Micromain – Work Order System• Momentus – Dietary System• Raiser’s Edge – Fund Raising System• Tele-health – Remote Patient Care• Other Data – Excel Spreadsheets and Access Databases

– Possible forms are name, location and level of care, diagnosis, treatment plan, MDS, etc…

Next

Lesson 5. Access Authorization

Authorization to Computer and Data is provided on an AS Need Basis and is authorized by your supervisor.– Obtaining a manager’s approval is required for

computer access. An email from a manager is required to obtain computer access.

– Changing job duties or roles requires a review of a users access.

– Any attempt to gain access to information systems containing ePHI for which you do not have proper authorization is prohibited and may result in sanctions.

Next

Lesson 6. Password Management OPRS has policies for creating, changing and

safeguarding passwords for logging on to any computer system.– Passwords are used to validate a user’s identity and

establish access to it’s information systems and data.

– Each user establishes their own password. Passwords shall be a mix of numeric and alphabetical characters, with at least one symbol.

– ( example: &mrd48e2) YOUR PASSWORD IS NOT TO BE SHARED WITH ANYONE!

Next

Lesson 7. System Audit Activity

Local and Corporate personnel will be auditing user access to ePHI .– These Audits will be conducted on a regular

basis, and any necessary steps addressing corrective action will be taken.

– Any user that has concerns for unauthorized access to ePHI shall contact their On-site HIPAA Security Liaison.

Next

Lesson 8. Safeguards Physical

– Do not leave your computer screens with resident information

– Placement of workstations should be placed in secure areas and monitors should not be visible to the general public…

– All computer servers are to physically secured and locked in each community

– Report any issues to your on-site HIPAA Liaison.

Technical – OPRS network runs anti-virus software

on all PCs– OPRS PCs use password protected

screen savers– All users accessing the OPRS network

from home or a remote site shall follow OPRS policies.

– All OPRS ePHI data is stored and backed up regularly

– OPRS Business Continuity Plan to be utilized for business interruptions.

– Downloading from the internet is not permitted at OPRS without permission from the IS Technical Director. (includes PC screen savers and backgrounds)

Next

Lesson 9. PC Disposal - ePHI

The disposal of all devices storing ePHI shall be done following HIPAA Policy.

– Procedures for removing the devise from the site includes:

• Logging the pick up

• Reason for the transaction

• Removal of ePHI

• Verification of disposal

– This must be done prior to disposing of the devise

Next

Lesson 10. Reporting Security Risks Responsibility for protecting ePHI is to be shared

by all OPRS’ employees.

– If you notice ePHI is not being protected call your on-site HIPAA Security Liaison or Security Officer depending on the seriousness of the risk.

– A response to your concern will be provided to you as part of the resolution to the issue.

Next

Lesson 11. My Responsibility in securing ePHI Knowledge of the Security HIPAA regulations Recognize your Security Officer and Onsite Security

Liaison No ePHI to be sent electronically including emails outside

OPRS without IS Technology Director approval Know how to report a security issue Use good passwords Follow the OPRS policies related to computer use Read your quarterly HIPAA Newsletter Understand that misconduct with computer equipment or

its use will involve disciplinary action

Next

Post Test

Test Your Knowledge

Next

HIPAA Security

What is the compliance date for the Security component of the HIPAA regulation?

a. March 30, 2005

b. April 15, 2005

c. April 21, 2005

HIPAA Security

Name the three types of safeguards discussed in the Security Rule?

a. Physical

b. Administrative

c. Technical

d. All of the above

Next

HIPAA Security

What type of PHI is protected under the Security Rule?

a. All PHI

b. Only written PHI

c. Electronic PHI

HIPAA Security

Since I work at OPRS I have the right to access anybody’s Electronic Protected Health Information or ePHI, even if it doesn’t pertain to my job duties.

a. True

b. False

Next

HIPAA Security

Which of the following are examples of electronic media?

a. Any computer, networks, desktops and laptops

b. Magnetic tapes and compact discs

c. Personal digital assistants and handheld computers

d. All of the above

Next

HIPAA Security All of the following statements are good

examples of computer device custodial practices except

a. My computer makes me put in a private password when I log-in every morning

b. I only access information as it applies to my job duties, or on a need to know basis

c. My computer is visible to anyone who comes to the desk to check-in or out

Next

HIPAA Security

Who is the Information Security Officer for OPRS?

a. Joyce Miller Evans

b. David Kaasa

c. Ken Kemper

d. Brad Reynolds

Next

HIPAA Security Who is your On-site HIPAA Liaison?

Elaine Kuhl – BV Jackie Shutt – WT Theresa Kies – DL Annette Linton – MP Tim Lanning – SC Home Care

Administrators

Paul Shaw - VC Maurita Hoffman-

LV Beth Barber - CM Karen Bakita – RN Nancy Conroy –

LT Robin Heinz - PV

Next

HIPAA Security

This concludes the HIPAA Security general training. If you have questions contact your local HIPAA Security Liaison or your local Human Resources Department.

The Corporate Information Security Officer may also be contacted with questions or concerns and be reached at 614 888-7800.

Return to Start