🦸 HIPAA Heroes
What does HIPAA protect?
Medical records, insurance, financial, identifying details, and other Patient health information (PHI)
What is the Red Flag Rule designed to prevent?
Identity theft and medical fraud.
What is the purpose of the Stark Law?
Prevents providers from making referrals that create improper financial benefit.
What is phishing?
A scam designed to steal information, passwords, money, or access.
🔥 DOUBLE JEOPARDY🔥
A patient's spouse calls and says:
"I'm listed on the insurance policy, I scheduled his appointment, and I pay for his care. Can you tell me what the doctor found?"
Can you tell them?
NO!!!
Being a spouse, policy holder, scheduler, or payer does not automatically grant access to Patient Health Information. This violates HIPAA!
A patient's mother wants to confirm the date/time for her 22-year-old daughter's appointment.
What should you do?
Require patient authorization before discussing care through a HIPAA Release form, or from the patient directly.
What is the term for using another person's insurance or medical information to receive healthcare services?
Medical Identity Theft.
Why does Stark Law exist?
To prevent conflicts of interest and protect patients.
What is the biggest clue that an email may be a phishing attempt?
It creates urgency, asks for sensitive information, or comes from a suspicious sender.
Using a coworker's login because yours isn't working.
Is this Sus or Secure?
🚨 Sus
You accidentally leave a patient's intake paperwork on the front desk where others can see it.
What went wrong?
Unauthorized disclosure of PHI.
Name one warning sign that could indicate a patient's identity should be verified more carefully.
Mismatched information, no photo ID, inconsistent DOB, etc.
True or False: A referral can become a compliance concern even if the patient receives good care.
True.
Stark Law focuses on the referral relationship, not just the outcome.
Name two warning signs that an email or text message might be phishing.
You receive a text directly from Dr. Lee stating:
"We have had a breach of our google accounts. Every please update your passwords and send them to be ASAP"
The number is correct. The message sounds like him.
What should you do?
VERIFY FIRST - email, call, or message him on a platform OTHER than the one you received the request from. Or confirm in person!
🔥DOUBLE JEOPARDY🔥
What is the difference between a HIPAA violation and a HIPAA breach?
A violation is failure to follow HIPAA rules; a breach is an unauthorized access, use, or disclosure of protected health information.
A patient says their insurance card has a different last name because they recently got married. Does this automatically remove the concern?
No. Identity still needs to be verified. in the form of name change documents
What is the biggest danger when financial interests influence referral decisions?
Patients may receive referrals that are not based solely on medical need and delay proper treatments.
You receive a message with a link directly from a trusted coworker's number/email. What should you do before opening it.
Verify that they sent it via another communication method alternative to the one you received the initial message from. (email, text, Whatsapp, in person, etc)
A NP provides a valid ID and ins card. They say:
"I came here six months ago under my ex-husband's insurance and a different last name. My records should already be in your system."
You search ChiroHD and find someone with similar but not identical contact information. But the DOB and first name matches.
The patient says: "That's me. Just merge my profile."
Question:
What is the concern here, and why would immediately merging the charts be risky?
🚩 Potential medical identity theft, duplicate patient records, or mistaken identity.
Even though the explanation sounds reasonable, merging records incorrectly could:
A neurologist's office calls requesting a patient's records, and the patient is standing at the front desk saying, "Yeah, that's fine, send them over." What important HIPAA step should still be completed before releasing records?
Proper documentation/authorization for the release of records.
What is the biggest risk of failing to detect medical identity theft before creating or updating a patient's profile?
Incorrect medical records, patient harm, insurance fraud, and compliance violations.
A doctor recently got a divorce. His ex mother-in-law owns a diagnostic facility and where he refers some of his patients. Is this a stark Law Violation?
Yes!
You accidentally click a suspicious link.
What should you do immediately?
Report it to Dr. Lee immediately and change your passwords.
A doctor receives an email from a known referral partner requesting patient records.
The sender's email address is correct.
The request seems normal.
The patient has actually been referred there.
However, the email asks for records to be sent to a different email address because:
"Our system is down today."
What is at risk here, and what should you do?
Uunauthorized disclosure of Protected Health Information (PHI) due to a potential phishing or social engineering attack. Reach out to the office directly for confirmation on the situation and collect HIPAA release form for the updated email/number they want it sent to.