To run in Slide Show mode
• If using PowerPoint 2003 click
Slide Show, View Show from
the Menu Bar.
• If using PowerPoint 2010 click the
Slide Show tab, then click From Beginning
Health Insurance Portability and Accountability Act
Patient Privacy & Security
Allison Martin & Kimberly Segal
Barbara Ann Karmanos Cancer Center
February 2013
HIPAA Module Objectives
After completing this training module, you should be able to:
1. Understand key HIPAA terms.
2. Apply general HIPAA rules that apply to your every day
work at Karmanos.
3. Know where to turn for help if you have questions or
concerns to report regarding patient privacy.
Karmanos’ Commitment to Protecting our
Patient’s Privacy Under HIPAA
HIPAA stands for the Health Insurance Portability and Accountability Act.
HIPAA is a federal law that sets standards regarding protection of confidential
patient data.
Who is responsible to comply with HIPAA?
– Covered Entities: health care provider, health plan, or a clearing house that
submits bills electronically.
– All Covered Entities (Karmanos is a Covered Entity) along with their Business
Associates (that use or access patient information on the Covered Entity’s behalf)
Karmanos is committed to protecting the confidential and private information
of our patients.
Remember that employees, friends and family members who are treated at
Karmanos are our patients too! If you have had testing or treatment at
Karmanos, you were a patient! These records may only be accessed as a
part of your routine job duties.
Protecting the privacy of our patients is EVERYONE’S job.
Protected Health Information (PHI)
Includes the Following Identifiers:
Street Address, City, County, Zip Code
• Birth
• Admission
• Discharge
• Death
• Social Security
• Medical Record
• Account (FIN)
• Health Plan Beneficiary
• License
• Vehicle Identification
• Telephone or Fax
E-mail Address
Biometric Identifiers
Full Face Photos
Any Other Unique Identifying Number, Characteristic, or Code
Protected Health Information
• Protected Health Information (PHI) includes information:
On paper
In a computer
Orally communicated
In any other form
• Electronically Protected Health Information (EPHI)
includes information:
– On your computer hard drive
– On floppy disks, CDs or magnetic tapes
– Sent via the Internet:
• By e-mail
• Other means
Treatment, Payment & Operations (TPO):
– Treatment:
Various activities related to patient care.
– Payment:
Various activities related to paying for or
getting paid for health care services.
– Operations:
Generally refers to day-to-day activities of a
covered entity, such as planning, management,
training, quality-improvement, education.
Note: Research is not considered TPO. Written patient
authorization is required to access PHI for research.
Notice of Privacy Practices (NPP)
As a Covered Entity under HIPAA, Karmanos has developed a Notice of
Privacy Practices (NPP) for distribution to our patients.
• The NPP states Karmanos practices for use of personal health
• The NPP allows patients to be informed of their privacy rights with
respect to their personal health information.
• The NPP provides a detailed description of the uses and disclosures of
PHI that are permissible without obtaining a patient’s authorization.
• The NPP is intended to focus individuals on privacy issues and
concerns, and to prompt them to have discussions with their health
care providers.
Business Associate Agreement (BAA)
• Business Associates are usually vendors who perform some function
or service for Karmanos that requires them to have access to our
patients’ information.
• A Business Associate Agreement (BAA) is a signed agreement
promising to keep PHI confidential in accordance with HIPAA.
• Karmanos, a Covered Entity under HIPAA, is required to sign
Business Associate Agreements with certain organizations and
individuals to whom they share Protected Health Information (PHI).
• If you are working with a vendor and are not sure if you need a BAA,
you may contact Materials Management or the Compliance
Department at [email protected]
Authorization (Release of Information)
• Authorization to Release Information is signed permission
allowing Karmanos to use or disclose a patient’s PHI for
reasons generally not related to Treatment, Payment or
Healthcare Operations (TPO).
• The Authorization must include: a detailed description of
the PHI to be disclosed, who will make the disclosure, to
whom the disclosure will be made, expiration date, and the
purpose of the disclosure.
• See Policy HIM020, Release of Information
• Contact Health Information Management (HIM) to
determine the appropriate authorization form needed for
your purpose.
Highly Confidential Information
• Michigan law provides even more protection than HIPAA
in some cases. This applies to highly confidential areas
which include:
Mental Health and Substance Abuse
HIV/AIDS Testing or Treatment
Psychotherapy Notes (which are not part of the medical record)
If you have questions about handling highly confidential
• Ask your supervisor
• Contact Health Information Management (HIM)
• Email the Compliance Department at [email protected]
Types of Disclosures
• No Authorization Required: to disclose PHI to the
patient, to use or disclose PHI for treatment, payment or
healthcare operations (TPO) and certain other disclosures
required by law (for example, public health reporting of
diseases, abuse/neglect cases, etc.)
• No Authorization Required, BUT Must Offer
Opportunity to Object: a patient must be offered an
opportunity to object BEFORE discussing PHI with a
patient’s family or friends.
• Authorization IS Required: for research, and when
conducting certain fundraising or marketing activities.
Incidental Disclosures
• HIPAA recognizes that some disclosures are not completely avoidable.
These are called “Incidental Disclosures.”
• For example, visitors may overhear a clinical discussion as they are
walking down the hallway of an inpatient unit or a visitor may hear a
patient’s name called out in a waiting room.
• HIPAA requires that reasonable safeguards be put in place to limit
incidental disclosures.
– Speak in soft tones when discussing PHI in open areas.
– Do not discuss PHI in public hallways, elevators or other public locations
– Only use the minimum amount of information necessary to carry out the
intended purpose
Every Day Practices For Securing PHI
– log-off your computer when you will be away for a period of time.
– position monitors out of view of the public eye.
– change your password as defined in policy.
– choose passwords that are not easily guessed.
– use password protected screensavers and keyboard locks.
– place disks or tapes in a secure location.
– immediately report anyone outside of KCC asking for your password.
Every Day Practices For Securing PHI
Do not:
– share passwords or login ID.
– write down passwords where others may access them.
– open any unknown attachments, files or unrecognizable e-mails.
– install unapproved software/hardware
– use unapproved email, such as Hotmail, Yahoo, etc.
Every Day Practices For Securing PHI
Use caution and respect patients’ privacy when discussing protected health
information in public.
Read and understand the policies and procedures relating to HIPAA Privacy &
When using or disclosing protected health information, limit the PHI to the
minimum necessary to accomplish the intended use.
Workers should only access or use the PHI necessary to conduct their job
All electronic systems are audited –a log of all accesses is maintained and is
designed to protect patient privacy.
For Fax's:
Double check fax number.
Use cover page which includes your contact information.
If fax is received by the wrong location, have the fax destroyed or returned to you.
Protecting your Computer & PHI
• Report any suspicious activity, such as new software or hardware
appearing on your computer to the Help Desk.
• Contact your supervisor or the Help Desk if you believe someone
may have logged onto your computer.
• Secure PDA’s and Laptops:
Always use a password protected screen saver.
Back-up data.
Install and use virus protection software.
Lock devices in a secure location when not in use.
If device is stolen, an incident report should be filed.
Email and PHI
• Email to email transmission within the Karmanos Email
System ([email protected]) is secure
• Email from the Karmanos email system to any other
system is NOT considered secure unless encrypted (Note:
this includes DMC and WSU email addresses –email sent
from Karmanos is not secure unless encrypted)
• Encryption can be forced for email containing PHI from a
Karmanos email to a non-Karmanos email address by
typing [SECURE] in the subject line
• In all cases, use the minimum necessary PHI
Emergency Downtime
• Karmanos Cancer Center has a contingency plan to
address system access during power failures, disasters,
weather hazards or other situations limiting access to
patient data:
Know the recovery plan as it relates to your job
Know the related policies
Know how to report emergencies
Know how the emergency may impact patient care
• Disciplinary action up to and including termination.
• Exclusion from participation in Medicare and Medicaid programs.
• NOTE: Individuals (This Means You!) can be subject to criminal
prosecution, fines and imprisonment.
• HIPAA Specific:
– Up to one year / $50,000 for misuse of protected health information.
– Up to five years / $100,000 for misuse of PHI under false pretenses.
– Up to ten years / $250,000 for misuse with intent to sell, transfer or use
PHI for commercial advantage, personal gain or malicious harm.
HIPAA Reporting
You are required to understand the law, and how it affects your job. Even an
“accidental” disclosure could have consequences.
As a condition of employment, employees agree to read and abide by the
policies and procedures covering HIPAA.
Individuals should immediately report any observed or suspected HIPAA
breach to:
Your supervisor
Compliance Office: 1-877-857-6007
Compliance Hotline (Anonymous Reporting) at: 1-888-478-3555
Not Sure?
Too Late?
Already Told Us?
Report It Anyway.
Report It Anyway.
Report It Again!
Safeguarding PHI is everyone’s job.
HIPAA Resources
• Internal Karmanos Resources
– Kim Segal – Director-Compliance & Privacy, 576-8898
– Allison Martin, VP Compliance & Regulatory, 576-9084
We hope this Computer Based Learning course has been both
informative and helpful.
Feel free to review this course until you are confident about your
knowledge of the material presented.
Click the Take Test button on the left side when you are ready to
complete the requirements for this course.
Click on the My Records button to return to your CBL Courses to
Complete list.
Click the Exit button on the left to close the Student Interface.

HIPAA (*) - Karmanos Cancer Institute