HIPAA Training
Developed for Ridgeview Institute 2012
Hospital Wide Orientation
Introduction
The purpose of HIPAA training is to uphold the
confidentiality of medical record information and
protect the patient’s right to privacy in the
collection and disclosure of patient information.
HIPAA regulations require organizations, such as Ridgeview
Institute, to provide HIPAA training to its workforce members.
What is HIPAA?
Health Insurance Portability and Accountability Act
(HIPAA) is a federal law to provide privacy standards to
protect patient’s medical records and other health
information provided to health plans, doctors, hospitals,
and other health care providers.
These standards provide patients with access to their medical
records and more control over how their personal health information
is used and disclosed.
Patient Rights
Patients have the right:
• To receive a copy of Ridgeview Institutes
Notice of Privacy Practices
• To request restrictions on disclosures of
Protected Health Information
• To receive an accounting of disclosures
• To request an alternate means of
communication, such as sending mail to a
P.O. Box versus home address.
Right to Complain
Patients have the right to complain if they feel their privacy
rights have been violated.
Refer patients with complaints about privacy violations
to Ridgeview Institute’s Privacy Officer.
Anita Thomas ext. 2801
HIPAAprivacyofficer@ridgeviewinstitute.com
Protecting Patient Confidentiality
As a healthcare worker, you must do your best to keep
patient information confidential, regardless of whether you
know the patient.
Discussing PHI with individuals not involved in the patient’s care
is a violation of the patient’s rights!
Each Ridgeview work force member is responsible for
maintaining and protecting the privacy and confidentiality of
patients, family members, visitors, and co-workers.
What is PHI?
All protected health information (PHI) is subject to federal
HIPAA regulation, which refers to any information that
identifies a patient and relates to at least one of the
following:
1. The individual's past, present, or
future physical or mental health
2. The provision of health care to the
individual
3. Past, present, or future payment
for health care
Information that can identify an individual
includes either the individual's name
or any other information that could
enable someone to determine the
individual's identity.
PHI & ePHI
Types of Identifying Health Information
Definitions
Protected Health Information (PHI)
is all individually identifiable health
information held or transmitted by
Ridgeview in any form or media
whether electronic, paper records,
fax documents or oral
communications.
ePHI is all individually identifiable
health information that Ridgeview
creates, receives, maintains or
transmits in electronic form.
 Name
 Address
 All elements (except years) of dates related to an
individual (including birth date, admission date,
discharge date, date of death, and exact age if over
89)
 Telephone numbers
 FAX number
 Email address
 Social Security number
 Medical record number
 Health plan beneficiary number
 Account number
 Certificate/license number
 Any vehicle or other device serial number
 Device identifiers or serial numbers
 Web URL
 IP address
 Finger or voice prints
 Photographic images
 Any other characteristic that could uniquely identify
the individual
Physical Security
Physical Security involves common sense steps to
safeguard information from physical threats.
These steps include:
 Locking Doors & Desks
 Storing Computer equipment safely and securely
 Making sure that those around you cannot easily
view PHI or ePHI
 Controlled Facility Access (e.g., ID badge)
Physical Safeguards
Ridgeview Institute takes measures to provide physical safeguards by limiting
physical access to facilities where PHI is stored and requiring employees to
wear authorized ID badges at all times while on campus.
Additional required steps include:
• Never leave your PC unattended while you are
logged in.
• Never share your log in password with
anyone. It is a violation of Ridgeview Policy to
share your password or log-in credentials.
• Keep your computer monitor positioned out of
public view.
• Hold your conversations with patient/family in
areas where PHI is not easily overheard.
Inappropriate access to PHI
It is a blatant violation of patient privacy to view someone’s record
for reasons outside of your role at Ridgeview Institute.
Those authorized to view a patient’s record are allowed to do so
only as needed to perform their job.
This limited access includes restrictions to accessing Hard
Copies (Paper Records) and Electronic Data Records.
HIPAA–Minimum Necessary
Requirement
HIPAA calls on health care workers to use the minimum
amount of patient information they need to do their jobs
efficiently and effectively.
Ask yourself:
– Do I need this information to do my job and provide good patient
care?
– What is the least amount of information I need to do my job?
– What is the minimum amount I need to share with other to
provide quality patient care?
Disclosure of PHI
HIPAA requires an authorization signed by the patient or the
patients’ legal guardian before any PHI may be communicated
verbally or in writing to another party.
Federal regulations require documentation of what information was released, the
date released, and who released the information, be recorded in the medical
record. This may be documented at the bottom of the authorization form.
Exceptions to Disclosure




Medical Emergencies
Reporting of Suspected Abuse (child or elder)
Reporting of Communicable Diseases
Court Order
Disposal of PHI
HIPAA requires Protected Health Information (PHI) to be kept
confidential even when it’s being thrown away.
It is the responsibility of ALL Ridgeview work force members to
dispose of anything with PHI in a locked trash bin designated for
disposal of confidential information.
Misdirected Faxes with PHI
Misdirected faxes are not uncommon in the
daily operations of a healthcare facility.
 A Ridgeview employee who
unintentionally sends a fax with PHI to
the wrong party should report the
incident to their supervisor or
Ridgeview’s HIPAA Privacy Officer
immediately at x2801 or email
HIPAAPrivacyOfficer@ridgeviewinstitute.com
 In addition, all print jobs should be
picked up IMMEDIATELY from the
printer and should never be left
unattended.
Ridgeview’s HIPAA Privacy Officer
Health Information Technology for
Economic and Clinical Health (HITECH) Act
The HITECH Act (law) strengthens HIPAA enforcement. It includes
provisions that call for increased monetary penalties for violation of HIPAA
privacy and security regulations, new patient information breach notification
requirements, and increased privacy rights for patients.
 HITECH established four tiered ranges of increasing minimum penalty
amounts, with a maximum penalty of $1.5 million for all violations of an
identical nature during a calendar year.
 Depending on the circumstances, federal or state law may permit civil or
criminal litigation and/or restitution, fines, and/or penalties (including jail
time) for actions violating HIPAA.
 Ridgeview Sanction Policy which could include termination of employment
depending on the severity of the violation.
A recent example in the news, a hospital in
Massachusetts agreed to pay a $1 million dollar
fine as a result of an incident involving the loss and
disclosure of PHI of 192 patients.
Breach Notification (HITECH)
If it is determined there is a violation,
certain entities must be notified:
 Individual whose privacy has been
violated
 Office of Civil Rights under the DHHS
 Media (over 500 individuals)
 Business Associates must report to the
Covered Entity
Business Associates (BAs)
HIPAA governs those who contract with Ridgeview
Institute and use or have access to Protected
Health Information (PHI).
Penalties and sanctions are applied directly to
BAs violating Privacy and Security regulations.
RVI Intranet: HIPAA Related SPPs







1.2 Business Associates
1.6 Confidentiality
7.1 Personnel Security
7.2 Workstation Use
7.3 E-mail, Internet, & Intranet Use
14.24 Faxing Employee Healthcare Info.
15.2 Release of Information
HIPAA Related SPPs (continued)
15.3
Completion of Medical Record
15.4 Faxing Patient Information
15.5 Amendment to Protected Health Information
15.6 Right to Request Privacy Protection
15.7 Sanctions for Non-Compliance with HIPAA
15.8 Privacy Complaints
15.9 Notices of Privacy Practices of PHI