Lesson 2 of 1
In Progress

It’s all about HIPPA Lesson

October 9, 2014


Here is a HIPPA Power point presentation ppt for this course. Please download and watch all the slides.


Its all about HIPPA in the health care industry these days. The Federal Health Insurance Portability and Accountability Act of 1996, known as HIPAA, was passed to establish a national framework for security standards and protection of confidentiality with regard to health care data and information with a basic goal of protecting patients’ information.

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. Many hospitals today are paperless and patients charts are now all electronic.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ electronic protected health information (e-PHI).

HIPAA regulations are organized into three primary areas namely privacy, security, and administrative simplification. These three issues are interdependent and are designed to work together to protect patient confidentiality.



This section involves the general rules for the uses and disclosures of individually identifiable health information by providers and others. Privacy in HIPPA is about keeping patient health information private, and information only to be shared on a “need to know” basis. The privacy section of HIPAA is the rules and regulations that specify how and when health care facilities,health care professionals, employers, and health insurance companies (these are collectively called “covered entities” in the HIPAA regulations) can use and disclose protected health information.

The privacy concerns of HIPAA allows covered entities to share protected health information verbally, in writing, or electronically with another covered entity and its employees if this sharing is for the purposes of providing treatment to a patient, ensuring patient safety, or facilitating payment for medical care. The privacy concerns specify that covered entities must keep track of how they use protected health information, document how they use it, and tell individuals how their protected health information is being used. The covered entities are required to have written privacy policies and procedures, and these must be shared with the patient at the patient’s request.

Under the privacy section of HIPAA, the patient has the right to ask covered entities how his/her protected health information has been used and who has viewed it, and it allows an individual the right to file a compliant with the Department of Health and Human services if he/she feels that his/her privacy has been violated.

The privacy section of HIPPA is probably the most confusing to Nurse Assistants and other caregivers. Sometimes you can have a patient with many family members who are always calling to enquire about the patient and how he/she is doing. It is important for you to remember that a patient’s protected health information should only be shared if he/she has expressed permission that it is okay to do so.If you do not have permission from a patient and you disclose any health information to the family, you are in violation of HIPPA. As a healthcare professional, you must make sure that a patient’s protected health information is only shared with the appropriate people in an appropriate way. Since the sharing of protected health information can only be done for the purposes of providing treatment to a patient, ensuring patient safety, or facilitating payment for medical care, it is very obvious, when you stop and think about it , who can be told what about whom, and when,  where, and how  this information can be shared. So the next time you answer that phone and someone asks if Mrs Jones had her surgery done, think again before sharing that information.

How many times have you been in a crowded elevator and heard Nurses and Nurse Assistants say something pertaining to a patient? “Oh My God, Mr Brewers drove me crazy today. He kept leaving his room without a mask and he has MRSA. And now his tests are positive for TB” …..This is clearly a HIPPA violation. You do not know if Mr. Brewers neighbor is in that elevator too. And the other nurses? Do they need to know that information about the patient? Absolutely not, they are not assigned to that patient and are not taking care of him. Always remember that patient health information is shared on a “need to know basis” for the purposes of providing treatment to a patient and ensuring patient safety.


In this section of security, regulations were set forth that require providers and others who maintain health information to maintain the security and integrity of individually identifiable health information. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

The security part of HIPAA and the privacy section are closely related, but the privacy section outlines in general terms how to handle patients’ protected health information that is written or in electronic form. The security section is concerned with electronic protected heath information, and it outlines specific security safeguards that must be used by covered entities in order to keep this information safe and make sure it is used appropriately. The privacy section of HIPAA tells you what to do and the security section tells you how to do it.

    These security safeguards are: 

  • Administrative safeguards: Administrative safeguards are the policies and procedures that covered entities must have in order to safeguard protected health information. For example, this part of the security aspect of HIPAA dictates that covered entities must have a HIPAA privacy officer, they must have an emergency plan in case the security of the protected health information is compromised, they must clearly identify which employees are allowed to access protected health information, etc. In order to be “HIPPA compliant,” a covered entity must have written documented plans that address how it handles information security or security breach. 


  • Physical safeguards: Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires covered entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity’s premises or at another location.


  • Technical safeguards: The technical safeguards are, in large part, the responsibility of the computer professionals of each covered entity. HIPAA requires, among many other things,  that the computer system of each covered entity be safe and secure from intrusion, have appropriate back-up systems, have procedures in place for safe information storage, retrieval, and transmission, and any changes in the system be documented.



This refers to regulations have been enacted which create uniform standards and requirements for the electronic transmission of health information. The administrative simplification section of HIPAA involves a national standard for electronically transmitting information and a series of standard codes that covered entities must use to identify diagnoses, diseases, injuries, and other medical conditions. It also established a uniform system of electronic information exchange about the financial aspects of patient care.  Administrative simplification is intended to streamline and standardize the administrative and financial aspects of providing care.

What’s at stake?

There has been increased governmental scrutiny and enforcement of the HIPPA violations. The health care industry is seeing greater action by government agencies to ensure patient information is protected.

  • The Office of Civil Rights (OCR) is now doing random  HIPPA Privacy and Security Audits
  • The OCR continues to investigate breaches and is imposing fines and penalties when it determines that patient privacy has not been adequately protected.
  • State Attorneys General are filling cases against healthcare providers for violations of patient privacy.


Privacy violations can result in steep fines and penalties under state and federal law

  • Individuals may face federal criminal penalties ranging from $50,000 and up to one-year imprisonment to $250,000 and up to 10 years in prison.
  • Individuals may face monetary penalties under state law ranging from $2,500 to $250,000 for using, obtaining or disclosing PHI in a manner that violates state law.
  • Institutions may face civil monetary penalties and be subject to corrective action for failing to comply with federal and state privacy and information security laws.

The severity of the penalties depends on the circumstances related to the violation and and your hospital’s policies and procedures. 

So what is Protected Health Information (PHI)?

If the following identifiers are;

(1) created or received by a health care provider, health plan, or healthcare clearinghouse and

(2) relate to the past, present or future physical or mental condition of an individual, payment for health care or the provision of health care to the individual, then they would qualify as Protected Health Information and are protected under HIPPA.

  • Name (including initials)
  • Postal Address
  • All elements of date expect year
  • Fax number
  • URL address
  • Social security number
  • Account numbers
  • License numbers
  • Medical record number
  • Health plan beneficiary number
  • Device identifiers and their serial numbers
  • Vehicle identifiers and serial number
  • Biometric identifiers (finger and a voice prints)
  • Full face photos and other comparable images
  • Any other unique identifying number, code or characteristic


What forms of Patient information is protected?

We must protect individually identifiable information in all formats, for example:

  • Written- Paper charts, printouts, letters, bills, patient face sheets
  • Spoken-Conversation, phone calls
  • Electronic-Patient information on computers, laptops, cell phones, DVD/CDs; in email; patient information that travels across the internet or through social media


Your Role and Responsibility in preventing Patient Health Information (PHI) from being disclosed to unauthorized individuals

Ways to protect written information:

  • Maintain documents (i.e. patient sign in sheets, appointment schedules, patient “face sheets”) in areas not readily visible to visitors or the public.
  • Maintain patient medical records in secured locations (i.e. nurse’s station, locked room)
  • Do not take PHI home.


Ways to protect verbal Patient Health Information PHI

  • Do not talk about PHI in public places such as hallways, elevators, cafeterias, buses and vans.
  • Close doors or pull curtains when discussing patient information (i.e. patient exam room, emergency room)


Putting it in Perspective

  • As a Nurse Assistant, there are a lot of different pieces of information you will need to protect in the course of your work. Because of this, it can be difficult to remember it all.
  • Instead of trying to remember all the details, take a step back and look at the bigger picture. Protecting privacy is the right thing to do. Do not break your patient’s trust. Your patient trusts you with their private information so you have a moral and ethical responsibility to safeguard their personal and health information.


When is it okay to use Protected Health Information (PHI)

As a Nurse Assistant, you are required to use and share PHI as part of your job. During shift change, you can share PHI when you are handing over to the next shift. You can also share PHI with other caregivers like the Charge Nurse or primary RN. When you take your break, you can share PHI with the other Nurse Assistant covering your patients. Basically, you can share PHI on other disciplines like physical therapy or others involved in patient’s treatment.

Just remember to only access PHI for work related reasons. If you access PHI for reasons than those necessary to perform your job responsibilities, then you may be disciplined and could lose your job for the HIPPA violation. You can not look up patient information of family members (including your children), friends, neighbors, church members and co-worker for non- work related reasons.

Reporting Privacy and Information Security Incidents

If you come across a HIPPA violation, do the right thing by reporting any actual or suspected privacy or Information Security incidents immediately to your supervisor or the office of Compliance in your facility. For example:

  • Your co-worker is accessing the medical record of another co-worker, colleague, friend, supervisor, or celebrity when not authorized to do so.
  • If the unit secretary has been faxing, emailing, or mailing PHI to the wrong people or address.
  • If the Nurses are leaving documents like report sheets containing PHI in conference rooms, cafeterias, parking lots or in the break room
  • If you are aware of any lost or stolen PHI.
  • If you notice a co-worker throwing away un-shredded PHI in regular trash or recycled bins.
  • If your co-worker is referring to and/or taking photos of patients and posting them on social media sites (Facebook, My Space, Twitter) without patient written authorization.


If your facility use Electronic Health Records, the following tips will help protect PHI

  • Keep in mind that strong passwords are the key for data protection
  • The longer and more complicated a password is, the stronger it is
  • An easy way to create a password is to think of a phrase and use the first letter of each word. Mix up and lower case and add numbers.
  • Do not use the words “password” or “Password” ; or use your name as the password
  • Never share your computer accounts and passwords
  • Don’t leave work stations without logging out
  • Beware of common scams to steal user IDs and passwords, For example: never respond to emails that ask you to send your user id and password for confirmation purposes.


Faxing and PHI

When sending a fax containing PHI, minimize the chance of a privacy breach by:

  • Using your facility’s approved cover sheet
  • Double Checking manually entered and pre-programmed numbers
  • Removing Information from the fax machine  in a timely manner
  • And limiting the instances when you fax the sensitive information, such as anything regarding mental health, chemical dependency, sexually transmitted diseases or HIV.


Are you Liable?

  • The HIPAA Security Rule requires each employee to have a unique user IDs for access to electronic PHI.
  • This ensures that users can be held accountable for their access to PHI.
  • Each user should only be given the access to PHI that is required for his/her job
  • So just remember that you can be held responsible for any actions done using your account. 







Health Insurance Portability and Accountability Act (HIPAA). (n.d.). Retrieved October 9, 2014, from https://www.omh.ny.gov/omhweb/hipaa/

Summary of the HIPAA Security Rule. (n.d.). Retrieved October 9, 2014, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

The Security Rule. (n.d.). Retrieved October 9, 2014, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

What does the Security Rule mean by physical safeguards? (n.d.). Retrieved October 9, 2014, from http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2012.html