In 1996 the federal government passed HIPAA (Health Insurance Portability and Accountability Act) to protect the confidentiality of health information. This law requires all healthcare organizations to establish privacy standards for all information related to our clients. This includes:
If we don’t comply, we can be fined $100/offense (civil) and up to $250,000 and or 10 years in prison (criminal/penalty). Most of HIPAA’s requirements are just reasonable common sense. If you have specific questions ask ___________, our designated Privacy Officer.
Areas of Privacy
_______________________________ ___________________ Secretary Team Leader Date
_______________________________ ___________________ Your Signature Date
QUICK REFERENCE HIPAA (PRIVACY) GUIDE
HealthPark Dentistry’s Training Manuals
Dr. Smith and Jill Nesbitt have written over 4000 pages of training manuals and they own the federal copyright on these levels. Copyright law restricts you from physically copying these manuals for any other than personal use. In order to protect the thousands of hours of time spent creating and updating these training manuals from being shared with other dental offices or other outside HealthPark Dentistry organizations, we are asking that you sign your agreement that you will follow the copyright law. By signing this, you agree not to give copies of any of your training manuals to anyone else.
I hereby agree that HealthPark’s training manuals contain certain proprietary information that is not to be disclosed to outside parties without HealthPark’s permission. I also agree not to give or sell to others a similar set of training manuals during my association with HealthPark or for a period of 7 years following my disassociation with HealthPark. Failure to abide by this stipulation shall result in damages to be determined by arbitration.
___________________ __________________ Signature Date
Identity Theft Detection Policy & Procedures
1) An individual falsely claiming to be someone else;
2) Unexplained discrepancies between the patient’s medical records and the patient’s physical condition.
3) A complaint by a patient that he or she has been the victim of identity theft in connection with services provided at HealthPark;
B. Responding to Red Flags
Any employee who recognizes a potential identity theft situation should report the situation to . She will follow up and record the incident.
C. Possible responses to a Red Flag Situation include the following:
1) Patient notification – We may notify the client if a Red Flag is encountered and verify the theft did not occur at our office.
2) Possible specific actions:
a) Cease any collection efforts that are related to the identity theft.
b) Notification of Legal Authorities
If we learn that a client or staff member has committed identity theft, we will contact law enforcement to the extent permitted under HIPAA and other privacy laws.
c) If a Red Flag is triggered but we determine that there clearly has been no identity theft, no action will be taken.
D. Plan Administration and Updates
1) All staff will receive a copy of this Policy to be signed.
2) We will evaluate our Program annually and update it in light of experience.
3) Any questions about this Policy should be addressed to the dentist.
E. ACKNOWLEDGEMENT (to be completed by all staff members who interact with patients)
I, ____________________, have read the practice’s Identity Theft Detection and Response Policy and Procedures and understand the contents. I have been instructed regarding situations that may suggest possible identity theft. If I discover a possible instance of identity theft, I will immediately bring the matter to the attention of ________.
_____________________________ _______________________ Staff person Date
HIPAA Security Quick Reference Guide
What is HIPAA?
The Health Insurance Portability and Accountability Act is a federal law. HIPAA provides for:
What is considered Protected Health Information (PHI) and Electronic Protected Health Information (ePHI)?
PHI Information is believed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity. Protected Health Information may include:
Examples of ePHI include any medium used to store, transmit, or receive PHI electronically, such as the following:
Who does HIPAA Security apply to?
HIPAA Security standards apply to covered entities, such as HealthPark Dentistry. A covered entity is ahealth plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. HIPAA Security standards apply to all individuals who have equipment connected to the UCHC network. In addition, it applies to all individuals, because as a member of the HealthPark Dentistry staff you may come in contact with patient information.
What are HIPAA Security Standards?
HIPAA Security Standards are Federal rules that:
How do I comply with the Security Standards? As a member of this community you must do the following:
Names of staff/dentists that have remote access to our network:
I understand that I must follow the HIPAA Privacy and Security laws when I use my personal computer or cell phone to access PHI (Patient Health Information).
____________________________ _________________________ Name Date
• Assign security responsibility within the organization – __________ is the security officer.
• Develop policies and procedures to address security violations. This includes completing a risk analysis, implementing security measures to reduce risks and vulnerabilities, developing a sanction policy, and implementing procedures to review records of system activity on a regular basis.
Pop Quiz – to be done at least 2x/year – Walk through office & look for computers logged into Dentrix when the user is at lunch or gone for more than 15 minutes. Document the staff that fail this quiz in their employee file.
• Attend to workforce security including: workforce clearance procedures, termination procedures and authorization, and/or supervision of workforce and management. – When secretary or dentist is terminated, we change the security alarm to protect PHI. When a person with remote access is terminated, we let our IT company know in order to eliminate their access.
• Establish policies and procedures for granting access to ePHI. – Only the individuals identified above have access to ePHI.
• Provide security awareness training to the workforce and management. – This will occur annually along with the OSHA annual training and will be located in general level 1 for all staff to review.
• Identify and respond to security incidents.
• Implementing policies and procedures for responding to an emergency: including plans to back up data, recover after a disaster, and operate during a disaster or emergency. – ________ is responsible for working with the IT support company to maintain a daily backup of PHI from the servers.
• Periodically evaluate the organization’s compliance with the Security standards. – Every 3-5 years, compliance will be evaluated.
• Limited physical access to electronic information systems and the facilities in which they are housed. – Charts are stored behind secretary desks and the servers are located in the doctor’s office.
• Proper authorization for access.
• Standards that ensure proper workstation use and physical security of workstations that access ePHI. – An ID & Password are required to access Dentrix on all computers.
• Standards for device and media controls. – Before any removable media is used, staff/dentists should review it with __________.
• Technical policies and procedures for access control on systems that maintain ePHI. These systems must allow for unique user identification and include an emergency access procedure for obtaining necessary ePHI during an emergency. Addressable specifications include automatic logoff and encryption and decryption. – An ID & Password are required to access Dentrix onsite and remotely.
• Hardware, software, and/or procedural methods for providing audit controls. – Our firewall provides data to show which computers have accessed websites and blocks restricted sites.
• Mechanisms to validate the ePHI has not been altered or destroyed in an unauthorized manner. – We can see the history of each patient appointment using the Dentrix software. We also can run an audit trail to identify more detailed changes.
Who enforces the Security standards?
The center for Medicare and Medicaid Services within the U.S. Department of Health and Human Services will enforce the security standards.
Civil and Criminal Penalties
Congress provided civil and criminal penalties for covered entities that misuse personal health information. For civil violations of standards, Office for Civil Rights may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties apply for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm.
Who to Contact? If you believe privacy rights have been violated or that security breaches have occurred, these must be reported to ____________. Other occurrences that may constitute a security incident are: