The Basics
HIPAA
What is the Health Insurance Portability and Accountability Act?
Obtained before releasing Protected Health Information for purposes other than treatment, payment, and operations
What is a written client authorization/consent?
This is the name for any third party organization who may be granted access to our data that has an agreement with CGC (e.g., DCF).
What is a Business Associate?
Attempting to acquire sensitive information such as usernames, passwords, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
What is phishing?
PHI
What is Protected Health Information?
Individual’s name, SSN, driver’s license number
What are examples of direct identifiers?
What to do if you receive a suspicious email.
What is do not open it and forward it immediately to CGC IT?
Three CGC workstation rules.
What are: 1) only CGC IT may install applications and hardware on CGC computers. 2) use only approved software. 3) do not attempt to install or download unauthorized applications. 4) always save important files to your network drive (I:), not to the local hard drive. 5) only browse websites that are required to do your job. 6) do not look at sensitive information that you do not require to perform your job responsibilities.
One of three reasons why HIPAA was enacted.
What is: 1) Establish basic privacy and security protection of health information. 2) Guarantee individuals the right to access their health information and learn how it is used and disclosed. 3) Simplify payment for health care
Definition of an indirect identifier.
What is any information about an individual that can be matched with other available information to identify the individual?
Identify the PHI in the following excerpt:
John Smith is a 15 year old male, DOB 5/15/2003, who is presenting to CGC with sad mood, anhedonia and recent incident of self-injury. He is the oldest of 3 children in an intact family living in Stamford, CT.
What is his name, date of birth and city of residence?
You find a thumb drive in the parking lot with no identifying information. You
a) plug it into your computer to see what is on it and figure out to whom it belongs
b) you keep walking and leave it where it was
c) you deliver it to CGC IT (aka Rob)
d) you throw it in the garbage - too bad for the person who dropped it.
What is c) deliver it to CGC IT (aka Rob)
Two ways HIPAA protects PHI.
What are: 1) Limits who may use or disclose PHI. 2) Limits the purposes for which PHI may be used or disclosed. 3) Limits the amount of information that may be used or disclosed. 4) Requires use of safeguards over how PHI is used, stored and disclosed.
Individual at CGC who is ultimately responsible for ensuring all PHI has been removed when releasing information.
Who is the Privacy Officer?
Protected health information includes information about...
What is 1) a person's health, health care, or payment of health care (the term "health" includes mental health and behavioral health issues) 2) information that identifies a person 3) services created or received by a covered health care plan or provider.
Limiting unauthorized physical access to electronic information systems and ensuring proper use of all workstations that have access to PHI.
What are examples of HIPAA Information Security physical controls?
This part of HIPAA limits the amount of information that may be used or disclosed.
What is the Minimum Necessary rule?
When PHI is disclosed without client authorization.
What is a HIPAA breach?
This is an example of a best practice for securing PHI in CareLogic (CL).
What is 1) never share your CL password 2) use sufficiently complex passwords that prevent them from being deduced 3) log off when you are not actively charting in a client's record 4) never access another client's record when in the presence of a client 5) ensure clients cannot view open CL on your workstation screen unless engaged in collaborative documentation?
Viruses, worms, spyware and malware
What are types of malicious software?
Malicious software can be carried via websites and email.