HIPAA Privacy and Security/HITECH Training 2014‐2015 Greetings, As many of you know, all health care organizations were required to be compliant with HIPAA Privacy Regulations in 2003 and later HIPAA Security Regulations that became effective in 2005. New legislation referred to as HITECH in 2009 addresses additional requirements. One of the requirements under these laws is mandatory training for all non paid individuals offering their services to the UConn Health Center who, as part of their experience, will have access to patient’s protected health information. This training includes a review of the organization’s policies and procedures relating to protecting patient information. We have developed the attached training packet for your review and completion. It is a summary of your responsibilities as an unpaid individual offering your service to the UConn Health Center (UCHC). Completion of these materials will satisfy your HIPAA training requirements for any UCHC site. At the end of the text is a self‐knowledge check of the materials. Please sign the next page of the packet indicating that you have completed the training packet and return it to your UCHC host. Continued participation in your Program is contingent upon proof of completion of this material. We are available to you to answer any questions or to address any concerns about the privacy and security of patient information during your work at UCHC. Thank you in advance for your cooperation, Iris Mauriello, RN, CHC Corporate Compliance Integrity Officer and HIPAA Privacy Officer Jonathan Carroll AVP, Enterprise IT Operations and Information Security Officer Certification of HIPAA Privacy/Security/HITECH Training Packet Completion 2014‐2015
I have read and understand the UConn Health Center HIPAA Privacy/Security/HITECH training materials. Further, I understand that the location of additional information about the UConn Health Center policies and procedures related to patient privacy have been detailed in the training documents. _________________________________________________________________________________ Printed Name _________________________________________________________________________________ Signature Date HIPAA/HITECH Privacy and Security
Student Training Academic Year 2014‐2015
Welcome to HIPAA/HITECH Privacy and Security training.
As you may know, all health care organizations are required to comply
with HIPAA/HITECH Privacy and Security Regulations. These
regulations have undergone several updates, the latest of which were
enacted in early 2013. As UCHC School of Medicine and School of
Dental Medicine students you will have access to patients’ confidential
health information as part of your educational experience. Therefore,
you are required to complete HIPAA/HITECH training.
Thank you for completing this training. Continued participation in your
educational program is contingent upon proof of completion.
When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. David Brinkley
UCHC’s Confidentiality Policy
 “All individuals are expected to be professional and
maintain confidentiality at all times, whether dealing with
actual records, projects, or conversations….”
 “All individuals having access to confidential information
are bound by strict ethical and legal restrictions…..”
Refer to UCHC policy # 2002-43 Confidentiality
What types of information must UCHC protect?  Medical/Dental/Behavioral Health-related patient information
 Research data requiring protections (clinical trials, patient survey
responses, etc.) as required by the NIH.
 Student information.
 Employee human resources and financial information.
 Any information about employees, students, patients, Board
Members, etc. which includes Social Security numbers.
 Financial information
 IDs and/or Passwords for access to Health Center computing
 Other confidential or sensitive Health Center information not in
the public domain.
HIPAA/HITECH Privacy and Security
HIPAA at a Glance
 HIPAA stands for: Health Insurance Portability and Accountability Act
 The “Health Insurance Portability”(HIP) part of HIPAA was
intended to ensure the continuity of health insurance coverage for
workers changing jobs.
 To facilitate this goal, Congress mandated national standards
for transmitting and protecting health information.
 The “Accountability” part of HIPAA was designed to ensure the
security and confidentiality of patient information/data and
requires uniform standards for electronic transmission of data
relating to patient health information.
HIPAA Privacy
 The HIPAA Privacy Rule was enacted to:
 establish national privacy protection standards for all
forms of health information created by “covered entities”,
including health care providers.
 set limits on the uses and disclosures of such information.
 give patients rights over their health records.
HIPAA Security
 The HIPAA Security Rule was enacted to:
 establish national standards for the security of
electronic health information (ePHI).
 protect individuals’ ePHI that is created, received,
used or maintained by covered entities.
 outline administrative, technical and physical
procedures to ensure the confidentiality, integrity and
availability of ePHI.
What is HITECH?
 HITECH stands for:
Health Information Technology for Economic and Clinical Health Act
 It is part of the American Recovery and Reinvestment Act (ARRA).
 The HITECH interim rule was enacted in 2009.
 Widened the scope of privacy and security protections under HIPAA.
 Included incentives related to health care information technology
such as:
 creating a national health care infrastructure.
 adopting an electronic health record (EHR) system.
 The HITECH final rule was enacted in January, 2013.
 Made a significant number of changes to HIPAA Privacy and Security.
We’ve Come a Long Way…..Maybe
 Electronic data transmission is a double edged sword.
 More technology = increased vulnerability of personal
 As technology changes we have to do more to protect
that information.
 The confidential information we come in contact with
everyday is only as safe as our weakest link.
What is Protected Health Information (PHI)?
 Any type of individually identifiable health information
in any format including:
 Paper or other media
 Verbal
 Photographed or duplicated
 Electronically maintained and/or transmitted
What makes PHI identifiable?
Any unique number, code or characteristic that links information to a specific individual such as:
Zip Code
Telephone number
Fax number
Email address
Internet address
Social Security Number
Medical Record Number
Patient Account Number
Insurance Plan Numbers
Vehicle Information
License Numbers
Medical Equipment
What is “de‐identified” information?
 Information in which specific pieces (identifiers) have
been removed so that it cannot be linked to any individual
or be re-identified.
 If patient information is de-identified it is not considered
PHI and is not protected under the HIPAA privacy
Refer to UCHC Policy # 2003-29:
Creation, Use and Disclosure of De-identified PHI
Genetic Information
 Genetic information including family history is considered
PHI under HIPAA.
 Includes:
 genetic tests, requests for genetic services, or participation
in clinical research that includes genetic services by an
individual or his/her family member.
 any manifestation of a disease in the individual’s family
 Genetic information may not be used for underwriting
Protecting PHI
 All health information that can be linked to an individual
must be protected under HIPAA.
 As an institution, UCHC has an obligation to protect the
privacy of patient information and maintain the security of
that information on our electronic systems.
 Everyone must be vigilant in their efforts to handle
confidential information in a way that prevents improper
 HIPAA is ultimately about patients and their right to
expect protection of their health information.
Patient Rights under HIPAA
Patient Rights
 Patients have the right to:
 Receive an accounting of certain disclosures of PHI.
 View and obtain copies of their records.
 Request an amendment to their medical records.
 Request that any communication related to PHI be
directed to a specific location.
 Request restrictions on the use or sharing of their
 Receive the UCHC “Notice of Privacy Practices” (NPP)
outlining these rights.
Patient Right to an Accounting of Disclosures
 Upon request, patients must be provided a list of all PHI
disclosures made outside of the institution including:
 disclosures of which the patient may not otherwise be
 improper disclosures resulting in a breach.
 An accounting of such disclosures is maintained in the
patient’s medical record on the “Protected Health
Information Disclosure Tracking Log”
Patient Right to an Accounting of Disclosures
 Disclosures exempt from the accounting requirement include:
 those for treatment, payment or healthcare operations
 those directed to the patient or in response to the patient’s
Refer to UCHC policy # 2003-18:
Accounting of Disclosures of Protected Health Information to
Patients and to the Protected Health Information Disclosure
Tracking Log
Patient Right to View His/Her Record
 Patients have a right to view their records upon request.
 Only written requests using the UCHC “Request to View
Record/Notification of Approval or Denial to View” form are accepted.
 Requests are reviewed with the patient’s attending of record to
determine whether the request will be honored.
 UCHC and the physician will provide a written response to the
patient regarding any request denial.
 Original records are the property of UCHC and may not be removed
from the facility except by court order.
Refer to UCHC policy #2003-17-A:
Patient Right to View His/Her Medical and/or Billing Record
Patient Right to Obtain a Copy of His/Her Medical/Dental or Billing Records
 Patients also have the right to request copies of their PHI in
any form they choose or is mutually agreed upon provided
PHI is readily producible in that format.
 If PHI is maintained electronically UCHC is required to
provide an electronic copy at the patient’s request.
 However, UCHC is not required to provide unlimited format
Refer to UCHC policy #2003-17-B:
Patient Right to Copy His/Her Medical and/or Billing Record
Patient Right to Send Record Copies to Others
 Patients may also request that copies of their medical
records be sent to other designated individuals.
 Requests must be made in writing, clearly identifying the
designated recipient and where to send the copy.
 Records may be provided in an unencrypted form if the
patient understands the risk and agrees in writing.
 It is recommended that records not be sent via email.
Patient Requests for Record Copies
 Patient requests for record copies must be addressed
(granted or denied) within 30 days.
 A one time 30 day extension is allowed with patient notification.
 A reasonable, cost-based fee may be charged.
 Requests for record copies may be denied under
certain circumstances.
 Patients have a right to appeal a denial.
Patient Right to Amend His/Her Medical Record
 Patients can request corrections be made to any inaccurate
or incomplete information in their medical, research, or
billing records.
 Only written requests are accepted.
 A request to amend may be denied.
 The patient may write a disagreement to which UCHC may
write a rebuttal.
 Copies of all such documentation are maintained in the
patient’s record.
Refer to UCHC policy #2003-17-C:
Patient Right to Amend Their Medical and/or Billing Record
and Request for Amendment of Health Information form.
Patient Right to Confidential Communications
 UCHC must honor all patient requests to receive
communications of PHI from UCHC by alternative
means or at alternative locations.
 Follow the steps outlined in UCHC policy #2003-15
Patient Right to Request Confidential Communications
Patient Right to Restrict Disclosures to Health Care Plans  UCHC must honor patient requests to restrict certain
disclosures of PHI to health plans if:
 the disclosure is to carry out payment or healthcare
 the disclosure is not required by law.
 the PHI pertains solely to a health care item or service for
which the patient or other person has paid out of pocket and
in full.
Policy updates are in progress to reflect the 2013
changes to the HIPAA/HITECH rules.
Notifying Patients of Their Rights Under HIPAA: Notice of Privacy Practices (NPP)
 The Notice of Privacy Practices includes UCHC’s pledge to patients to
keep their medical, dental and billing information private.
 The NPP must be:
provided to all patients (excluding inmate/patients).
acknowledged by anyone receiving the notice.
posted in a prominent location.
available on UCHC’s website.
Refer to UCHC policy # 2003-13:
Permission to Treat/Assignment of Benefits/Authorization to Release
Medical/Dental Records/Acknowledgment of Receipt: Notice of Privacy
Practices (Privacy and Security of Protected Health Information (PHI)
Notifying Patients of Their Rights Under HIPAA: Notice of Privacy Practices (NPP)
 The NPP describes for patients:
how their PHI is used and disclosed.
their rights regarding their health information.
how to exercise those rights.
The NPP is undergoing updates to reflect the 2013
changes to the HIPAA/HITECH rules. When available, all
areas utilizing NPPs must obtain, use and post the
updated version.
Patient Authorizations Regarding Their PHI
Sharing PHI Without Authorization: Remember “TPO”
 In order to access, use or share PHI without a signed
patient authorization the purpose must be related to:
 Treatment within and between healthcare providers
across UCHC or in the community.
 Payment for treatment
 Operations-normal UCHC business activities
 Quality improvement
 Training
 Audit/legal/compliance reviews
 Evaluating caregiver performance
Sharing PHI without Authorization
 Other than TPO, Protected Health Information (PHI) may
be shared without a signed authorization for the following
Public Health Activities
Preventing or controlling disease
Reporting abuse, neglect or domestic violence
FDA-regulated product safety
To provide information to coroners, medical examiners, or
funeral directors.
Refer to UCHC policy #2003-27:
Use and Disclosure of PHI Where Authorization or Opportunity
for Patient to Agree or Object is NOT Required
Sharing PHI without Authorization
 Reasons other than TPO (continued):
 Organ donation.
 Health oversight activities:
Civil, administrative, or criminal investigations
 Court order or subpoena.
 For law enforcement purposes related to crimes,
provided certain criteria are met.
Disclosure of Patient Information to the Public and Community Clergy Members
 Unless a patient objects, UCHC may disclose that patient’s
location (hospital room and telephone number) to persons
that inquire about that patient by name.
 Members of the clergy will also be provided with a patient’s
religious affiliation unless the patient objects.
Refer to UCHC policy #2003-26:
Directory Information: Disclosure of a Patient’s Information
Communicating with a Patient’s Family and Friends
 PHI should never be shared with a patient’s family member,
friend or others involved in a patient’s care unless the patient
has given permission to do so.
 A patient can indicate during a discussion with caregivers that
a particular person may be included in that discussion of
medical and/or financial information.
 If a patient is unable to communicate his/her wishes for any
reason, UCHC may determine whether a particular disclosure
is in the best interest of the patient.
Refer to policy # 2003-25:
Use and Disclosure Involving Family and Friends
Disclosures Regarding Decedents
 Care providers may disclose PHI to a family member or
person who was involved in the care of a deceased
patient unless otherwise expressed by the decedent
while he or she was alive.
 Use your knowledge or best judgment regarding
 HIPAA will no longer apply to individuals deceased more
than 50 years.
When is a patient authorization required?
 In general, if the reason for access, use, or disclosure of
information is not related to “TPO” you must have a
signed patient authorization.
 Never access, use or disclose PHI without a patient’s
consent, if indicated.
Refer to UCHC policy # 2003-16:
Authorization for Release of Information and associated
authorization form.
Patient Authorizations
 A valid authorization includes specific requirements:
 PHI to be released
 Who may release the information
 Who may receive the information
 Purpose of the disclosure
 Expiration date
 Signature of patient or patient representative
 Use only UCHC HIPAA-compliant authorization forms.
 A patient may withdraw authorization at any time except to the
extent that UCHC has already used or released information under a
valid authorization.
Refer to policy # 2003-16: Authorization for Release of Information.
Protecting Confidential Patient Information
Minimum Necessary Rule
 Except for treatment purposes, limit access, use or disclosure
of PHI to the minimum necessary to accomplish the intended
 Access, use or disclose:
 Only PHI needed to complete an assigned task in your student role
 Only when the specific PHI is necessary to perform that task.
 Unless you need certain patient information to carry out your
student responsibilities, do not access that information.
Refer to policy # 2003-21: Minimum Necessary Data
Students’ friends and family: Access and Disclosure
 Unless required for a specific educational-related task, students
may not:
 Access family’s or friends’ information, even if they ask you to do
 Access supervisors’ or other students’ information, even if they ask
you to do so.
 Students may not disclose patient information to anyone that is
not authorized to have the PHI including:
 Family
 Friends/neighbors
 Fellow students
 UCHC policy prohibits students who are also patients from
accessing their own medical information for personal reasons.
Verifying Information Requests
 Before sharing any PHI, UCHC will verify:
 The identity of the individual requesting the information.
 That this individual has the right to obtain the information requested.
 If a patient calls to obtain information about him/herself, UCHC
will verify the individual’s identity using information available in
the Patient Registration system.
 In the event that an individual’s identity and/or legal authority
cannot be verified, a UCHC staff will not disclose the PHI and will
report the request to his/her immediate supervisor.
Refer to policy # 2003-20:
Verification of Individuals or Entities Requesting Disclosure of
Protected Health Information
Verbal Exchanges Involving PHI
 Discuss PHI only with those that have a “need to know”
for specific assigned job functions.
 Be aware of your surroundings when discussing patient
 Move to a private area if needed.
 Avoid discussions involving PHI in areas where you may
be overheard such as cafeterias, hallways, elevators,
patient waiting rooms etc.
Telephone/Voicemail/Answering Machine Disclosure of PHI
 Never leave information containing PHI over the phone
with someone other than the patient.
 Leave only generic information on voicemail or answering
 Never leave any PHI, including indication of the services
being performed or the service provider.
Refer to UCHC policy # 2003-24:
Telephone/Voicemail/Answering Machine Disclosure of PHI
Managing Written PHI
 Documents containing PHI must be:
 Turned face down when not in use.
 Kept locked in an office, file cabinet or other storage
 Check printers, fax machines and copiers after using to
ensure that no papers are left behind.
 Never remove paper documents containing PHI from any
Faxing PHI
 Faxing patient information outside of UCHC is allowed in
situations when health information is needed immediately
or when mail or courier delivery will not meet a necessary
 Employees authorized to fax PHI must confirm the
accuracy of the fax numbers and security of recipient
 Any fax that is sent to a location outside of UCHC must
be accompanied by a UCHC-approved fax cover sheet.
Faxing PHI
 Fax machines used to receive or transmit health information
must be located in a secure area to protect the information
from unauthorized users.
 Receiving faxes:
 Schedule with the sender whenever possible so that the faxed
documents can be promptly removed from the fax machine.
 Notify the sender if you receive a misdirected fax so the fax can
be sent to the correct party.
Refer to UCHC policy # 2003-23:
Faxing of Protected Health Information and fax cover sheet.
Disposal of Paper Containing PHI
 Dispose of documents with PHI (faxes, printed emails,
informal notes or copies of patient notes) either by tearing
them up or placing in secured shredder bins.
 Never dispose of documents containing PHI in a trash or
recycle receptacle or in a publicly accessible area.
 Copies of PHI used for case presentations or other academic
requirements must be destroyed in a confidential manner.
Refer to policy # 2008-01:
Disposal of Documents/Materials Containing PHI and Receipt,
Tracking and Disposal of Equipment and Electronic Media
Containing Electronic Protected Health Information.
Managing Electronic Information
You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable.
Daryl White
Acceptable Use of UCHC’s Information Technology Resources
 UCHC workforce members are responsible for the
appropriate use and security of ePHI when using any IT
 Using any unauthorized IT resources or IT resources that
could disrupt operations or compromise security is
Refer to policy # 2011-02:
UCHC Information Security: Acceptable Use
Data Authentication and Physical Safeguards
 To protect from unauthorized access, IT resources must
be physically secured.
 Never leave computers or laptops unattended or
unsecured in public areas.
 Where feasible, authentication to systems or devices
containing ePHI must:
 Include a unique logon or password.
 Be encrypted.
Refer to UCHC policy # 2011-01:
UCHC Information Security: Data Authentication, Physical
Access Control to Facilities
 UCHC limits physical access to all
confidential information, including to the
facilities in which it is housed.
 Lock all file cabinets and rooms that contain
confidential information.
 Always wear your UCHC identification
badge for proper access.
Refer to policy # 2005-04:
UCHC HIPAA Security Facility Access Control
Virus Protection
 All computer equipment connected to the UCHC network
 have UCHC approved, updated anti-virus protection software
 remain current with the manufacturer’s operating system’s
security software updates.
Refer to policy # 2005-10:
UCHC HIPAA Security Virus Protection Policy
Mobile Computing Devices (MCD)
 MCDs include:
 UCHC laptop computers
 Smartphones
 Tablet devices
 USB storage devices
 Confidential data may not be stored on UCHC or non-
UCHC MCDs unless:
 Only information needed for a particular function is stored.
 Information is stored only for the time period needed to
perform that function.
 The device is encrypted by UCHC IT.
 Data is protected from unauthorized access and disclosure.
Bring Your Own Device (BYOD)
 Users will be granted the authority to configure their
personally-owned MCDs to access UCHC’s electronic
 Personally-owned MCDs must be registered and secured
at UCHC’s BYOD website.
Additional information about BYOD can be found at
Refer to policy # 2008-03:
Mobile Computing Device (MCD) Security
Disposing of Electronic Confidential Information
 Secure methods must be used to dispose of electronic data
and output.
 Prior to the removal or sale of any electronic storage
media/devices, contact the UCHC Materials Management
Department to remove all UCHC information, including PHI,
residing on the devices.
 Never leave computers/laptops or other devices unattended
when planning disposal.
Refer to policy # 2008-01:
Disposal of Documents/Materials Containing PHI and Receipt,
Tracking and Disposal of Equipment and Electronic Media
Containing Electronic Protected Health Information.
Electronic Systems Access Control
 Access to UCHC’s information systems is granted only to
appropriately identified, validated and authorized
 Users must each have a unique login and password.
 Memorize your password and do not share your account
information (username/password), password creation or
password changes.
 Do not log in to your computer to allow a fellow student to
work under your username or request that another
student do the same for you.
Electronic Systems Access Control
 Ensure that all laptops are encrypted as required by
UCHC policy.
 Always log off your computer or use a screen saver after
using a shared computer or when your computer is left
 You may be held responsible for improper access by
another individual under your username and password.
Refer to UCHC policy # 2011-03:
UCHC Information Security: Systems Access Control
Electronic PHI (ePHI)
 ePHI is Protected Health Information stored on electronic
systems or transmitted through electronic means.
 Includes personal information stored on:
 Personal Computers with internal hard drives.
 Removable storage devices such as:
USB memory sticks/keys
Back-up tapes
External hard drives
Mobile Devices
 Electronic transmission is data exchanged via the network,
including wireless and DSL/cable home network connections.
Electronic PHI (ePHI)
 ePHI also includes patient information located on
any UCHC electronic information management
system including:
 NextGen
 Others
Monitoring of Electronic Patient Information Systems
 Access to patient records is logged by each Health
Center system.
 Audit logs are reviewed to ensure information is
accessed only on a “need to know” basis.
 If you do not have a legitimate educational purpose for
accessing a patient’s PHI you are not allowed to view
that information.
Think before you click……..
 “Minimum necessary” also
applies to electronic PHI.
 Access/use PHI stored in
electronic systems only
when it is necessary to
perform your assigned job
 Access/use only the
minimum necessary PHI to
complete your assigned
Emailing PHI
 Hand deliver or mail PHI whenever possible.
 When necessary for treatment, payment or operations, email PHI only
to individuals that are authorized to receive the information.
 E-mail only from and to secure addresses with the UCHC network (i.e.
addresses ending in uchc.edu)
 Verify the recipient’s address as secure before sending PHI via e-mail.
 Email encryption must be used to send any confidential information
outside of the UCHC network.
Refer to policies:
# 2012-01 E-mail Communication with Patients/Research Participants
# 2011-04 Electronic Communication of UCHC Confidential Data: Use of
Email Encryption
Email Encryption
 To send a secure email:
 Click the icon in the upper left hand corner of the email message
screen OR
 Include[Secure] (brackets and the word) in the email subject line.
Texting PHI
 Texting confidential information, including PHI, is not
permitted under any circumstances.
 Text messages are not encrypted and, therefore, are never
 Any text message sent containing confidential information,
including PHI, is a violation of UCHC policy, state and
federal laws and must be reported immediately.
Social Media
 PHI or other confidential information should never be
shared on social media sites.
 Any medical information that is posted must be
completely de-identified.
 Although you may think information has been de-
identified, it may be possible to identify an individual,
even with minimal information.
Managing Breaches of PHI
 A breach is defined as any improper access, acquisition,
use or disclosure of PHI that compromises the security or
privacy of the information unless it can be proven that the
risk of compromise to the information is low.
 Includes situations in which more than the minimum
necessary PHI is involved.
 All potential breaches are evaluated UCHC and may
result in notifying the affected patient(s) and the
Federal Office for Civil Rights (OCR).
 OCR may investigate any breach that is reported.
Managing Breaches
 Known or suspected breaches must be acted upon
without delay to assess the situation and mitigate risk.
 There are strict timeframes for notifying:
 Affected patient(s)
 Office for Civil Rights
 If you know or suspect that a breach has occurred report
it to your preceptor or a UCHC manager immediately.
 The UCHC Privacy and/or Security Offices will be
contacted for guidance.
Examples of Breaches that Have Occurred at UCHC
 Paper:
 Lab requisitions, test results or other confidential
communication mailed to the incorrect patient.
 Discharge paperwork handed to the wrong patient
 Paperwork containing PHI left in public areas.
 Verbal:
 Discussing a patient’s medical information in a public area.
 Discussing a patient’s medical information in front of others
without the patient’s permission to communicate.
Examples of Breaches that Have Occurred at UCHC
 Electronic
 Accessing patient information for purposes that are not
related to job functions, educational responsibilities
and/or assigned tasks including the PHI of co-workers,
family members, friends, and VIPs.
 Lost unencrypted laptops or other mobile devices
containing PHI.
 Texting PHI.
 Computer screens containing PHI that are visible to
unauthorized individuals.
Tips for Preventing Breaches
 Keep track of documents containing PHI (don’t leave
unattended, don’t take in the restroom etc.)
 Keep private conversations private if PHI is being
discussed (you never know who may overhear).
 Never text PHI.
 Do not share PHI via social media.
Tips for Preventing Breaches
 Obtain a patient’s permission before involving others in a
discussion that includes PHI.
 Do not access or use patient information that is not
related to your student responsibilities.
 Never disclose PHI to anyone that is not authorized to
have the information.
 Encrypt all electronic equipment that may contain PHI.
Patient Complaints Regarding Breaches of PHI
 Patients may contact the UCHC Patient Relations
Department with any concerns related to the privacy or
security of their PHI.
 Patients may also elect to register a complaint with the
U.S. Department of Health and Human Services, Office
for Civil Rights.
Refer to UCHC Policy #2003-19:
Patient Complaint Regarding Use and Disclosure of PHI
UCHC Policies
Please review UCHC’s Confidentiality Policy at:
All HIPAA Privacy and Security policies are located at:
UCHC Contacts
 For Privacy questions or to report Privacy violations
Iris Mauriello, Privacy Officer
[email protected]
 For Security questions or to report Security violations
Jon Carroll, Information Security Officer
[email protected]
 You may also report any Privacy or Security concern
anonymously through UCHC REPORTLINE: 1-888-685-2637
Knowledge Check
1. Which of the following is not considered Protected Health Information under HIPAA?
A. An EKG report for a participant in a human subject research study.
B. A discharge summary for a JDH patient.
C. A photo used for student education showing only a wound on the hand of an unidentified patient.
D. A patient invoice that includes a listing of diagnostic lab tests completed.
The correct answer is “C”. Only information that cannot be linked in any way to a particular individual would not be considered PHI
2. Maria is a nursing student and has cared for a patient who had a minor procedure done in the surgery center. The patient’s neighbor has come to give the patient a ride home after the procedure and is waiting with the patient. Maria needs to review the procedure and discharge instructions with the patient. Maria isn’t sure if the patient has given permission to communicate with her neighbor. What should Maria do? A. Review the information privately with the neighbor first since she is taking the patient home.
B. Review the information with the patient and neighbor together since the patient must approve if the neighbor is in the room.
C. Discharge the patient and plan to review the information during her next clinic appointment.
D. Ask the patient’s permission to review the information in front of her neighbor.
The correct answer is “D”. Unless you are sure the patient has given permission to communicate PHI with another individual always check with the patient before sharing any information. 3. A signed patient authorization gives UCHC permission to disclose any and all parts of a patient record. True
The correct answer is “false”. The patient authorization specifies which parts of the medical record may be shared. Only disclose those sections indicted unless the patient has given permission to share the entire record.
4. While eating lunch in the cafeteria, you overhear a group of students discussing a patient, including diagnosis, treatment plan and prognosis. You notice other employees as well as visitors at nearby tables. What should you do?
A. Move to another table so you won’t hear the discussion.
B. Stare at the group in hopes that they get the message to end their conversation.
C. Politely remind them that they should not discuss patients in a public area.
D. Sit down and join them since the discussion sounds really interesting.
The correct answer is “C”. Patient information should only be discussed in a private area and only with those that have a right to know the information.
5. Sarah is a staff member in the Cancer Center. At the request of her patient, she calls the patient to report her recent lab results. The patient has indicated on the UCHC “Permission to Communicate” form that information may be shared with her husband, who she has identified by name. When Sarah calls the patient’s home, she reaches the patient’s sister who tells her that the patient is not at home. What should Sarah do?
A. Tell the patient’s sister that she is calling from the Health Center and ask that the patient return her call.
B. Tell the patient’s sister that she is calling from the UCHC Cancer Center with lab results and ask that the patient call her back.
C. Ask the sister to get a pen and paper to write down the results to give to the patient.
D. Hang up and call back at another time.
The correct answer is “A”. Never leave a message containing specific information if the patient has not given permission to communicate with that particular individual.
6. Bert and Ernie are students and friends who are completing an internship on the same patient care unit. Ernie runs into a problem with his username and password and finds that he cannot log onto the computer to document in a patient’s record. To save time, he asks to borrow Bert’s username and password until he has a moment to contact the Information Technology Helpdesk. What should Bert do?
A. Give Ernie his username and password to log on.
B. Offer to log on under his own username and password to allow Ernie to write his note.
C. Explain to Ernie that UCHC policy does not allow him to share his username and password.
D. Get another student to log on and let Ernie complete his note.
The correct answer is “C”. Never allow another student to use your password or ask to use a fellow student’s log on information. You are responsible for any documentation completed under your username and password.
7. Jeremy, a social work student, is searching in an electronic system for the record of a clinic patient. The patient happens to have the same last name as a fellow student, Jill. During his search he sees Jill’s name on the list of patients and notes that she has a medical record in the system. Jeremy is curious about Jill’s medical information so he looks and finds that she recently had surgery. Did Jeremy do the right thing?
A. Since Jeremy “inadvertently” discovered that Jill is a patient, it’s OK to view her record.
B. Jeremy may not access any patient’s record, unless the reason is specifically related to his student responsibilities.
C. Jeremy may view Jill’s medical record, but he shouldn’t tell her that he knows she had surgery.
D. Because Jill is a student, she cannot expect her information to be kept private. Anyone with access to a patient information system is allowed to access her record.
The correct answer is “B”. Students who are also UCHC patients are entitled to the same privacy as any patient.
8. While answering the phones in a busy clinic, you receive a phone call from a patient who reports that, in addition to her own lab results, she received the lab results of another patient in the mail. What should you do?
A. Apologize for the error and tell the recipient to throw the other individual’s results in the trash. Notify the unit manager of the call when you have a chance.
B. Ask the recipient to tell you the name of the other patient and any specific PHI that was sent in error. Notify the unit manager and review the PHI that was released in error.
C. Tell the recipient to call back at another time when the manager or a staff member is available. D. Thank the recipient for calling to report the error. Notify the unit manager or a staff member while the patient is on the phone as this is a potential breach that must be managed immediately.
The correct answer is “D”. The manager or staff member must address the situation immediately to minimize the risk to the patient’s information that was inappropriately disclosed.
9. An outside practitioner will be following a UCHC patient with whom you have been working. Your preceptor/manager confirms that it is permissible to share PHI related to the patient’s follow‐up care with this particular practitioner. The practitioner sends you an email asking for a summary of the patient’s condition and treatment. Which of the following should you do?
A. Simply reply to the email with the information requested.
B. Reply and click the “Secure” button prior to sending the email.
C. Reply and type [secure] in the subject line or message.
D. Either B or C.
The correct answer is “D”. Always click the “Secure” button or type [secure] when sending PHI outside of the institution via email.
10. Denise is a nursing student who recently assisted with a patient in the UCHC Emergency Department (ED) that had been involved in a serious car accident. The accident was reported on the local news and on the front page of several newspapers. Denise can’t wait to tell her friends about her ED experience so she posts on her Facebook page details about the accident, the patient’s injuries and a picture she took with her cell phone. She is careful not to disclose the patient’s name or to expose the patient’s face but assumes it is OK to share other information including the patient’s age, sex and town of residence. Did Denise breach this patient’s confidentiality?
The correct answer is “Yes”. Students should never photograph patients with a personal cell phone and post photos on social media. In addition, even though Denise did not include the patient’s name or photo of the patient’s face, it is possible for others reading her post to identify the patient, given the information that was shared and the fact that the accident was highly publicized. This, therefore, would rise to the level of a breach under the HIPAA/HITECH regulations.

HIP AA Privacy and Security/HITECH Training   4‐2015   201