HIPAA and Harassment

Question 1

HIPAA

Answer 1

Health Insurance Portability and Accountability Act (US)

Question 2

PIPEDA

Answer 2

Personal Information Protection and Electronic Documents Act (Canada)

Question 3

What is the purpose of HIPAA?

Answer 3

• Protect patient’s protected health information
• Giving patient’s appropriate access to their information
• Promoting high quality healthcare

Question 4

PHI

Answer 4

Protected Health Information

Question 5

What are the three rules of HIPAA?

Answer 5

• Privacy Rule
• Security Rule
• Breach Notification Rule

Question 6

What is the purpose of the Privacy Rule?

Answer 6

To assure PHI is protected while allowing the flow of health information needed to provide and promote high quality healthcare.

Question 7

What are the three major aspects of the Privacy Rule?

Answer 7

• Minimum Necessary Rule
• Access/Use of PHI
• Disclosure of PHI

Question 8

What is the Minimum Necessary Rule?

Answer 8

A rule that requires you to make reasonable efforts to access, disclose, and request only the minimum amount of PHI needed for the treatment of the patient.

Question 9

What are login credentials used for?

Answer 9

To create a unique electronic footprint. Every click made is tracked and monitored in the EMR/Speke platforms. You are required to keep your login confidential and you are prohibited to use anyone else’s login credentials.

Question 10

How can you protect your workstation and keep your device secure?

Answer 10

• Do not share your login information with anyone
• Do not keep passwords written down anywhere
• Do not download or access any apps
• Log out anytime you step away

Question 11

Access/Use of PHI

Answer 11

You should only access PHI for business-related purposes. This means that you should only access records if a patient has been assigned to you. It is prohibited for you to access your own PHI. It is prohibited for you to access records of family, friends, or coworkers - even if they authorize you to do so.

Question 12

What is an access audit?

Answer 12

Audits are conducted to provide detailed information about your access to PHI. Audits provide your manager/company with the date and time of you access; each portion of the chart that you accessed; the length of time of your access; modifications you made to the chart; the workstation used to access the chart; and even your IP address disclosing your location when you accessed the chart.

Question 13

What types of access audits can be conducted to find out if PHI has been accessed illegally?

Answer 13

• Same Last Name Audit
• Same Address Audit
• VIP audit
• Patient Requested Audit

Question 14

Disclosure of PHI

Answer 14

You are permitted to disclose protected health information only to the minimum extent necessary for the treatment of the patient. Ex. you may share PHI with the treating provider or other members of the patients care team (i.e. nurse, consulting physician).

Question 15

With whom/where should you NOT disclose PHI?

Answer 15

• Any employee that is NOT on the patient’s care team
• Family
• Friends
• Common areas (hallways/elevators)

Question 16

Social Media and PHI

Answer 16

Posting or publishing information about a patient on social media or the internet is STRICTLY PROHIBITED.

Question 17

Photography/Video Recordings and PHI

Answer 17

Company policy STRICTLY PROHIBITS taking photographs and video recordings in the facility.

Question 18

T/F: If you’re reasonable certain the patient could not be identified, then it’s OK to post a photo of a patient on social media.

Answer 18

FALSE - No details of visits should be released as ANYTHING could tie a patient to a visit!O

Question 19

Y/N: A fellow scribe says the x-ray for the fracture they just saw is really cool. They offer to pull it up for you to see and so you don’t have to use your login. Is this ok?

Answer 19

NO - This violates the minimum necessary rule because this is not needed for the patient’s care. Also, you are NOT assigned to this patient and have no right to view this information.

Question 20

When is it okay to document outside of EMR?

Answer 20

• On a company or facility authorized desktop-built notepad on your company or facility device
• On paper provided by the facility in the event of EMR downtime

Question 21

What are unauthorized forms/applications used for note taking?

Answer 21

• Online notepad
• Email
• Google Doc
• Word Doc

Question 22

Which of the following is ok to use to send PHI?

• Messenger
• Encrypted email or encrypted service
• Email
• Text

Answer 22

Encrypted email or encrypted service

Question 23

What is the purpose of the Security Rule?

Answer 23

To establish a national set of security standards for PHI.

Question 24

What is access management?

Answer 24

Access management is a company’s way to ensure employees are provided access based on their role in the organization to ensure they are only given the appropriate amount of access to ePHI.

Question 25

What are the 4 important measures a manager must ensure when an employee advises they will be separating form the company?

Answer 25

- That the manager know the last day of work and make plans to revoke access to any sensitive informaition - For any equipment that was issued in order to work to be returned - For items that grant access to sensitive information be turned in (ID cards, access keys, etc.) - For EMR access and relevant logins to be made inactive

Question 26

Who must you report suspected or known security incidents to?

Answer 26

- Your manager - Privacy Officer - Security Officer - Hipaa@healthchannels.com - Legal@healthchannels.com - 888-386-4370

Question 27

What should your home router encryption be set to?

Answer 27

- WPA2 - WPA3 - WPS Disabled

Question 28

What is the flow of an privacy issue investigation?

Answer 28

1. Investigation is Opened 2. Collection of Evidence 3. Interviews 4. Documentation 5. Risk Assessment (when a patient privacy issue becomes a HIPAA Breach)

Question 29

Who can determine if a patient privacy issue has become a HIPAA Breach?

Answer 29

ONLY the Privacy Officer on the investigation can determine if a patient privacy issue has become a HIPAA Breach.

Question 30

What is the Breach Notification Rule?

Answer 30

If an internal HIPAA risk assessment determines that there is a high probability of the compromise of the security or privacy of the patient’s PHI, the Privacy Officer will consider the incident a HIPAA Breach notifying event. If an incident is determined to be a HIPAA Breach notifying event we MUST report the incident to a client and the facility that the client’s health information was compromised.

Question 31

What part of a persons identity would be considered a Protected Group?

Answer 31

- Ancestry - Age - Color - Disability - Gender - Marital Status - Medical Condition - Military or Veteran Status - National Origin - Pregnancy status - Race - Religion - Sexual Identity/Orientation - Worker’s Compensation Status

Question 32

What is Discrimination?

Answer 32

Treating someone less favorably because of their actual or perceived membership in a certain group or social category.

Question 33

What is a fair and non-discriminatory workplace?

Answer 33

A workplace in which employees are protected from discrimination at all stages of employment, including but not limited to, recruiting, hiring, training, and compensation.

Question 34

How to avoid discrimination claims?

Answer 34

- Treat employees fairly - Treat employees with respect and dignity - Don’t bully - Don’t stereotype - Don’t make any references or jokes that are based on race, gender, religion, or other protected status - When there is any doubt, don’t say it or do it!

Question 35

What is harassment?

Answer 35

Harassment refers to the illegal form of discrimination. It is unwelcome, unwanted or offensive conduct based on or because of an employee’s protected group.

Question 36

What is sexual harassment?

Answer 36

Un welcomed sexual advances, requests for sexual favors, and other verbal or physical conduct of sexual nature when: - submission to such conduct is explicitly/implicitly a term or condition of an individuals employment - submission to or rejection of such condition by an individual is used as a basis for employment decisions affecting the individual - such conduct has the purpose of substantially interfering with an individuals work performance - such conduct has the purpose of creating an intimidating, hostile, or offensive work environment

Question 37

What qualifies as harassment?

Answer 37

Speech or conduct that: - Denigrates or shows an aversion to an individual based on any protected characteristic - Has the purpose or effect of creating an intimidating, hostile, or offensive work environment - Has the purpose or effect of unreasonably interfering with an individual’s work performance - Otherwise adversely affects an individual’s employment opportunities

Question 38

What are forms of harassment?

Answer 38

- Verbal - Non-verbal - Physical - Visual

Question 39

Who decided what is ‘unwelcome’ or ‘offensive’?

Answer 39

- The victim (the subjective standard) - The hypothetical ‘reasonable person’ (the objective standard) * The intent of the alleged harasser is irrelevant

Question 40

Who can e the harasser?

Answer 40

- Supervisors - Co-workers or peers - Customers, clients, or other third parties

Question 41

Where can harassment occur?

Answer 41

- The workplace - On ‘working time’ outside the facility - At work related social events or business functions - Int he context of a ‘personal’ romantic or sexual relationship between employees (off-site/off-hours)

Question 42

What is retaliation?

Answer 42

Adverse action against a covered individual because the employee engaged in a protected activity. Employers CAN NOT punish employees for making discrimination or harassment complaints or participating in workplace investigations. RETALIATION IS PROHIBITED.