HIPAA – An Introduction

Ver X.X
 Preface

The Health Insurance Portability &

Accountability Act (HIPAA) requires
that Our organizationtrain all
workforce members about Caliber
Point’s HIPAA Security and Privacy
Policies and those specific HIPAA -
required procedures that may
affect the work you do in the
organization.
For Internal training purpose 2
This HIPAA Training Program
will help you understand

 What is HIPAA?
 Who has to follow the HIPAA law?
 When do we start?
 How does HIPAA affect you and your job?
 Why is HIPAA important?
 Where can you get help with HIPAA?

For Internal training purpose 3

 What is HIPAA?

HIPAA = The Health Insurance Portability and

Accountability Act
….A Federal Law created in 1996
H = Health
I = Insurance
P = Portability and
A = Accountability
A = Act

For Internal training purpose 4

 What is HIPAA?

HIPAA is the Health Insurance

Portability and Accountability Act, a
US federal law that…….
o Protects the privacy of a patient’s personal and health
information.
o Provides for electronic and physical security of personal and
health information.
o Simplifies billing and other transactions.

For Internal training purpose 5

 Why HIPAA?
 Proposed due to the growing national concerns for health care reform.

 Initially intended to improve the portability and continuity of health insurance coverage
for groups and individuals.

 To provide health care coverage for all people, regardless of preexisting health
conditions or layoff

 To combat waste, fraud and abuse in the health care system

 To protect medical records and other personal health information (PHI) and give
patients new rights regarding the management of their PHI

 Administrative Simplification:
• To establish precise and uniform standards for Electronic Data Interchange (EDI)
• To reduce the cost and improve the process of filing insurance claims

For Internal training purpose 6

 HIPAA Overview

For Internal training purpose 7

 Who has to follow HIPAA?

For Internal training purpose 8

What Patient Information Must We Protect?

We must protect an individual's personal and health information

that is created, received or maintained by a health care provider
or health plan.

Is written, spoken, or electronic.

And includes at least one of a list of personal identifiers.

HIPAA says that this information is Protected Health

Information (PHI).

For Internal training purpose 9

 Who’s Affected ?

For Internal training purpose 10

 What is PHI?

Any ONE of these personal identifiers plus a

person's health care or health care payment
information = Protected Health Information
• Name, all types of addresses including email, URL, home

• Identifying numbers, including Social Security, medical

records, insurance numbers, biomedical devices, vehicle
identifiers

• Full facial photos and other biometric identifiers

• Dates, including birth date, dates of admission and discharge,

death

For Internal training purpose 11

 PHI

When do we have to Protect PHI?

NOW!

For Internal training purpose 12

 My Job and HIPAA

How does HIPAA affect

my job?
• If you currently see, use or share a person’s protected
health information (PHI) as a part of your job, HIPAA may
change the way that you do your job.
• As a part of your job, you must protect the privacy of
patient’s PHI!

For Internal training purpose 13

 My Job and HIPAA

When can you use PHI?

• It can be used only to do your job!
Do Not
• Make any unauthorized copy of PHI into any local drives.
• Print any document containing PHI without authorization.
• Share any PHI with friends, relatives, etc.

If you have any questions about what you must do and when
you are in doubt.
Ask your supervisor.

For Internal training purpose 14

 Security

Protecting Patient Privacy Requires Us to Secure Patient

Information
Security Means that…
Everyone must secure and safeguard PHI so that others cannot
see or use it...
UNLESS it is necessary to do their job.

For Internal training purpose 15

 Security

Secure all PHI

Sign and follow the spirit of your NDA you sign with Caliber
Point
Do not share or give anyone your passwords -
under any circumstances!
Log-off computers when finished and secure paper records that
contain PHI!
Destroy, shred or put in the designated bins all paper that could
contain PHI!

For Internal training purpose 16

 Security

Our organizationhas a stated Security

policy. This is displayed at various
locations in the office premises.
Please go through and understand the
policy. If you need further information
on it ask your Project Manager.

For Internal training purpose 17

 Security – Employees’ Responsibility

• Comply with Organization's corporate security guidelines.

• Ensure that any desktop, peripheral, User-id, password, key lock
device or any other device issued for accessing company resources
remains confidential and under control.
• Access only authorized information.
• Refrain from using connection devices, such as modems, without
prior approval from network security personnel
• Restrict use of the extranet, email and company electronic and
computing resources to business use only.
• Use of Company computing resources for personal gain or in a
manner inconsistent with professional conduct is strictly prohibited.
• Take precautions that no comments be made publicly or sent
electronically, that can be construed as representing Caliber Point,
unless authorized to speak for the company.

For Internal training purpose 18

 Security – Employees’ Responsibility

• Refrain from installing or downloading software from external

sources, to avoid virus infection and comply with software license
agreements when using copyrighted software.
• Promptly report any concerns about security exposures or possible
violations of this procedure to the manager, security personnel, or
other designated personnel.
• Cooperate with authorized persons conducting audits or
investigations.
• Always display your ID/access cards when you are at work and do not
use your access cards for others.
• Do not take visitors into the office premises without authorization.
• Ensure your desks are clean when you leave for the day. Do not leave
any project related confidential material on your desks.
• Active participation Business continuity.
• Use Paper Shredder to destroy unwanted confidential documents.

For Internal training purpose 19

 Security – Employees’ Responsibility

• Caliber Point’s security measures under which all of us have to follow

and practice the below instructions: -
1. Do not share your passwords.
2. Always display your ID/access cards when you are at work. Keep
your ID cards visible.
3. Do not use your access cards for others.
4. Enable password protected screen saver with 4 minutes wait time in
your desktop.
5. Use passwords minimum of 9 characters.
6. Always lock your desktops when it is in un attended mode.
7. Leave your desks clean when you leave for the day.
8. Do not leave any project related confidential material on your desks.
9. Use paper shredders to destroy unwanted confidential documents.
10. Report suspicious security incidents to E-mail display name
“Security Alarm Team”.

For Internal training purpose 20

 Security Vs Privacy

•The word "security" should not be confused with "privacy.“

•Security is to protect the privacy of electronic patient information.

–Information stored electronic media
–Information transmitted through electronic means

•Privacy covers the confidentiality of PHI in all formats. The physical

security of PHI in all formats is an element.

For Internal training purpose 21

 Physical Safeguards

• Steps for ensuring information on computers is secure

• Require log-ins
• Protect IDs and passwords - never share them
• Screensavers (recommended less than 5 minutes)
• Log off the computer before leaving it unattended
• Position computer monitors away from public areas to avoid
observation by visitors
• Hard drives are appropriately “cleansed” before de-commissioning or
transfer

For Internal training purpose 22

 Workstation(s)

• No Unmanned workstations in public areas.

• Be skeptical of e-mail and web sites that ask for sensitive
information.
• Keep operating system up-to-date
• Anti-virus software
• Avoid Risky web activities
• Password protect computer
• Use STRONG passwords

For Internal training purpose 23

 Technical Safeguards

 Access Control
• Limit access.
• Unique user identification
• Emergency access procedure
• Automatic logoff
• Encryption and decryption

 Audit Controls
• Defines this requirement as implement of hardware, software,
and/or procedural mechanism that record and examine activity in
information systems that contain or use.
• Appears that flexibility does not extend to having no audit trail
mechanisms at all.
For Internal training purpose 24
 Technical Safeguards

 Integrity
• Policies and procedures to protect e-PHI from improper alteration
or destruction
 Authentication

 Transmission
• e-PHI is not improperly modified without detection until disposed
off
• Mechanisms to encrypt e-PHI deemed appropriate

For Internal training purpose 25

 Administrative Safeguards

 Designed to guard the confidentiality, integrity, and

availability
 7 sections to the required administrative procedures
• Assigned Security
• Contingency Plan
• Information Access Management
• Training & Awareness
• Security Management
• Workforce Security
• Security Incident Procedures

For Internal training purpose 26

 Security Incident

Any activity that harms the resources or can cause harm to the
Organization and / or:
 Unauthorized changes or access of PHI or ePHI
 Criminal activity or natural disaster

You should follow your ‘in place’ Security Incident procedures

and notify:
 Your supervisor or manager
 Compliancy Officer or designate
 Information Security if PHI is involved

For Internal training purpose 27

 Questions

1. What is PHI? (Please click on all answers you think are right. There
may be more than one right answer.)
a. A person's Protected Health Information.
b. A person's health, billing or payment information that is created
or received by a health care provider or health plan.
c. Protected Health Information is information about a person that
can be used to identify the person.
d. PHI is a person's information that is protected by the HIPAA law.

2. Who has to follow the HIPAA Law? (Please click on all answers
you think are right. There may be more than one right answer.)
a. My supervisor, and other administrators, managers and directors
b. Everyone
c. I don't know

For Internal training purpose 28

 Questions

3. When can I disclose or use PHI? (Please click on all answers you
think are right. There may be more than one right answer.)
a. Only if HIPAA allows me to use or disclose PHI as a part of my
job.
b. For the treatment of a patient, if that is part of my job.
c. For obtaining payment for services, if that is part of my job.
d. For teaching activities, if that is part of my job.

4. Where Can I get more information on HIPAA and the

Organization’s Privacy and Security policy?
a. From the Company's website.
b. From my supervisor or manager.
c. From the Company's Privacy Officer.

For Internal training purpose 29

 Thank You

For Internal training purpose 30