HIPAA requires that all shredding be witnessed by your practice. If you have a document shredding service, you should always follow your privacy protected health care documents to the truck and watch the shredding take place, this is required by law. Don't let your shredding service take the documents away with out seeing them destroyed. I've seen Iron Mountain wheel documents from a health care facility and put the cart into a box truck and drive off. If this happens to your practice, ask your shredding service for a video showing YOUR documents being destroy...better yet, just find a shredding service like Shred Bull and watch your HIPAA protected documents and hard drives shredded right there at your location.
Questions To Consider
Why was the Health Insurance Portability and Accountability Act (HIPAA) established?
- The focus of the statute is to create confidentiality systems within and beyond healthcare facilities.
- The goal of keeping protected health information private.
Whom does HIPAA cover?
- All persons working in a healthcare facility or private office
- Non-patient care employees
- Health plans (e.g., insurance companies)
- Billing companies
- Electronic medical record companies
What are basic HIPAA goals?
- To limit the use of protected health information to those with a “need to know.”
- To penalize those who do not comply with confidentiality regulations.
What health information is protected?
- Any health care information with an identifier that links a specific patient to healthcare information (name, social security number, telephone number, email address, street address, among others)
Differentiate between HIPAA privacy rules, use and disclosure of information?
- Use: How information is used within a healthcare facility
- Disclosure: How information is shared outside a health care facility
- Privacy rules: Patients must give signed consent for the use of their personal information or disclosure
What are the legal exceptions when health care professionals can breach confidentiality without permission?
- Gunshot wound
- Stab wound
- Injuries sustained in a crime
- Child/Elderly abuse
- Infectious, communicable or reportable diseases
What types of data does HIPAA protect?
- Written, paper, spoken, or electronic data
- Transmission of data within and outside a health care facility
- Applies to anyone or any institution involved with the use of healthcare-related data
- Data size does not matter
What types of electronic devices must facility security systems protect?
- Both hardware and software
- Unauthorized access to health care data or devices such as a user attempting to change passwords at defined intervals
What is the job of a HIPAA security officer?
- IT background
- Document and maintain security policies and procedures
- Audit the systems
- Risk assessments and compliance with policies/procedures
What does a security risk assessment entail?
- Should be undertaken at all healthcare facilities
- Assess risk of virus infection and hackers
- Create safeguards against risks
What are physical safeguards?
- Secure printers, fax machines, and computers
- Locks on computer and record rooms
- Destroy sensitive information
What type of employee training for HIPAA is necessary?
- Ideally under the supervision of the security officer
- Level of access increases with responsibility
- Annual HIPAA training with updates mandatory for all employees
What type of reminder policies should be in place?
- E-mail alert, posters
- Log-on, log-off computer notices
How should a sanctions policy for HIPAA violations be written?
- Clear, non-ambiguous plain English policy
- Apply equally to all employees and contractors
- Sale of information results in termination
- Repeat offense increases the punishment
What discussions regarding patient information may be conducted in public locations?
- Conversational information is covered by confidentiality/HIPAA
- Do not talk about patients or protected health information in public locations
How do you protect electronic information?
- Point computer screens away from public
- Use privacy sliding doors at the reception desk
- Never leave protected health information unattended
- Log off workstations when leaving an area
How do you ensure password protection?
- Do not share the password
- Do not write down the password
- Do not verbalize password
- Do not email your password
How do you select a safe password?
- Do not select consecutive digits
- Do not select information that can be easily guessed
- Choose something that can be remembered but not guessed
ADDITIONAL HIPAA RESOURCES