You are on page 1of 9

Welcome to First Transits HIPAA Awareness, Privacy and Security Training.

As part
of your work with FT to provide Non-Emergency Transportation Service (NEMT
Services), you learn personal and private information about riders health & medical
condition. That information is considered PHI - Protected Health Information. First
Transit is committed to protecting our riders information and you should be too.
You are obligated to protect the privacy and security of riders PHI.

This training video:

Overview of HIPAA
Identify Protected Health Information (PHI)
Review situations in which PHI can be mishandled
Practical ways to protect the privacy & security of confidential information

Lets start with some definitions and review the federal regulations that protect the
privacy and security of health information -- HIPAA, HITECH and the Final Omnibus
Rule of 2013.
First up is the Health Insurance Portability and Accountability Act better known as
HIPAA
HIPAA was originally passed in 1996 and has been amended several times since
then.
Although it is primarily known for its protection of PHI, HIPAA also

Ensures the portability of health insurance


Sets standardize coding and administrative processes for health care billing
Give individuals access and control over their health information

HIPAA created a special class of information called Protected Health Information or


PHI.
HIPAA imposes strict and specific restrictions on the use & disclosure of Protected
Health Information (PHI)
HIPAA regulations have changed dramatically since its creation in 1996.
In 1996, your doctor probably took notes on paper and your medical record was in a
physical file.
Today, the electronic age has forever changed your health records and your doctor
is likely to take notes on a computer or tablet, storing your records in an electronic
health records system
Because electronic records flow faster and farther than paper records, new
regulations have emerged to protect ePHI Electronic Protected Health Information.

The Health Information Technology for Economic and Clinical Health Act - Commonly
referred to as HITECH and the final Omnibus Rule of 2013 amended HIPAA by
extending protects of privacy and security when using technology to collect, share
and store data, and expanded the obligations of every individual that comes into
contact with PHI including you.
You may be asking, why is a transportation company worried about a health
information law?
Well, HIPAA talks about covered entities and they are the people we would think
have access to private medical information. Covered Entities include: Healthcare
Providers ( doctors, hospitals, treatment centers), Health Plan (health insurance
companies and public health plans like Medicaid and Medicare) and Healthcare
Clearing Houses - businesses that manage healthcare billing.
However, covered entities arent the only ones who must follow HIPAA Regulations.

Covered Entities often work with other companies and individuals to assist in
providing services and as part of that relationship PHI may be passed from the CE to
another party.
Think of PHI as a stream of information that is passed from one party to another.
The protections that HIPAA provides are attached to the information and flow with
the information. Anyone who has access to that stream of information must comply
with the HIPAA restrictions.
For example, when Medicaid provides FT PHI about riders, FT becomes obligated to
follow the HIPAA regulations. When FT passes that information to you, the HIPAA
protections are attached to that information and you are obligated to follow the
HIPAA Rules.
When a party gets PHI from a covered entity, HIPAA designates the new party as a
Business Associate. Transportation Providers, lawyers, accountants, translation
services and even janitorial companies may all be Business Associates. Business
Associates are directly and separately liable for complying with HIPAA.

Since HIPAA obligations follow the PHI wherever it goes, nows a good time to find
out what is Protected Health Information and where will you run into it during your
day?
Protected Health Information, is any information that
1) Comes from a Covered Entity or Business Associate
2) Identifies an individual and
3) Is at all related to the individuals health, condition, healthcare or payment
for health care.

Any information you receive about a rider from First Transit may be PHI.
Some examples of PHI may include:
-

Riders names

Riders Addresses

Riders Medicaid # or other identification number

Riders contact information

Riders DOB or SSN

Destination information (for example, the rider is going to or coming from a


doctors office, hospital or long term care facility)

Billing information

Notes or details about the riders condition

This information must be kept private and secure


SoWhat are the rules you need to follow?
-

Under HIPAA There are three main Rules


The Privacy Rule which protects an individuals health information by limiting the
ways PHI can be used within a company and disclosed to others. Basically, this
part of HIPAA is all about keeping information private. These are the rules for
when you can access and share Protected Health Information
The Security Rule protects the confidentiality, integrity and availability of
electronic Protected Health Information given the special risks of the electronic age.
These rule include policy requirements, technical protections and even physical
security concerns.
And finally The Breach Notification Rule defines a HIPAA Breach and may require
notifications to various entities including the individual. This part of HIPAA deals
with what to do when things go wrong.
Where do you start?
As a partner with First Transit you are expected to follow the Money Rule - Treat all
riders information like it was your own money.
You dont just give it away
You dont give someone more than they need, and
You dont leave it lying around

The Privacy Rule. Information is like money - you dont just give it away!
Generally, you may not use or disclose a riders information
Use includes access, viewing, or analyzing by you or your company. Disclose means
to allowing anyone outside of your company to access the information, including
transferring, sharing, releasing or even allowing other to view the information.

There are exceptions to this do not use rule.


You may use or disclosure PHI for TPO --Treatment, Payment or Operations
Treatment provision, coordination, or management of health care and related
services. For example, if you need the riders information in order to take them to
their medical appointment or coordinate their ride to their appointment.
Payment activities to determine coverage or eligibility or ensure payment or
reimbursement of claims. For example, submitting bills to First Transit in order to get
paid for taking a rider to a medical appointment
Operations certain administrative and management activities of the Covered
Entity.
Before you use or disclose a riders PHI for anything other than Treatment or
Payment, contact your First Transit Manager or First Transits HIPAA Compliance
Officer.
This includes requests for information based on a written Authorization from the
rider, Court Order, law enforcement investigation or other investigation or audit.

Even when a use is permissible, there are still limitations. Which brings us back to
the second part of the money rule You dont give someone more than they need.
For nearly all uses or disclosures, HIPAA requires an adherence to the Minimum
Necessary Standard meaning that only the amount of Protected Health
Information that is actually NECESSARY can be used or disclosed.
First Transit uses the need to know you rule and you should too. Only those who
need to know the information in order to perform their job properly should have
access to riders information.
This means that managers, dispatchers and drivers are likely to have different levels
of access to riders health information. This includes IT systems.
Remember, convenience or curiosity is not a reason to have access!
If you are NOT granted access and attempt to gain unauthorized access to a riders
information you may be subject to disciplinary action up to and including
termination.

Onto the last part of the money rule When it comes to money - or riders
information, you dont leave it laying around!
Security starts with You!
Did you know that you can be personally fined or subject to criminal prosecution for
violating HIPAA regulations? Fines, penalties and jails sentences arent just for
corporations and executives. For instance, a disgruntled employee at the UCLA
Medical School was prosecuted for violating HIPAA when he accessed private
medical records. His sentence was 4 years in prison!
Potential penalties for HIPAA violations can be staggering! Up to $50,000 per
violation! Plus, each individual could be a separate violation. For example, if you
breached 100 riders PHI information it could mean over a million dollars in fines !

Beyond fines and criminal prosecution for violating HIPAA you could also receive
disciplinary actions from First Transit or your employer including exclusion from
working with First Transit or termination of your contract - for not following HIPAA
regulations or First Transits privacy and security expectations.

You are responsible for protecting riders information and here are some tips to help
you
You must not be careless with personal health information and access to that
information.
If you are logging into any system with rider information you should have unique
user identification and password. Sharing IDs or general log-in IDs are not permitted
Remember, Your are responsible for the activities of your account and your access
will be monitored
Do not share your user ID or password
NEVER WRITE DOWN YOUR PASSWORD ON OR NEAR YOUR COMPUTER,
WORKSTATION, TABLET OR PHONE.
Paper Files
Papers should be covered or shielded when not in use. Keep papers in a folder and
turn papers upside down or use a coversheet to block information from view.

Paper records with personal information should be kept in locked cabinets or locked
rooms with access limited. These areas and file cabinets should be marked clearly
as Authorized Personnel Only
Workstations and vehicles should be cleared of riders personal information,
including PHI, at the end of every workday
Never just toss PHI containing material in the garbage!
Shred paper or place in locked disposal containers

Conversations
Keep in mind that you never know who is listening! Be professional. Keep your
voice down and be mindful of those around you.
When in the vehicle, take your cues from your rider. you can talk to a rider about
their own health information but you should be conscious of others that can hear
you
A word about social media
Never disclose work-related sensitive information through social media such
as Facebook, Twitter, or Instagram
First Transits Policies prohibit you from sharing any customer information
acquired through your work on any social media. This includes information you may
think is public.
Even if you think youve taken out names, locations and dates - the information, still
might be identifiable to others.
Phones Calls and Radio Traffic
Check the phone numbers prior to calling.
Always ask to speak directly to the individual.
Do not leave detailed medial information with another individual or in a message.
The same goes for radio transmissions
Limit the amount of details as much as possible.
Faxes
Double check fax number prior to sending.
Use the HIPPA Fax Cover Sheet, a sample is available under the Healthcare Provider
Resources tab at www.firsttransit.com
Regularly validate pre-programmed numbers.

Send information only if the recipient has a legitimate need to know.

E-mail
Avoid sending any emails with PHI.
If you must send PHI in email, you must use secure e-mail
Double check the e-mail address to make sure it is correct.
Include a disclaimer at the beginning of the e-mail noting that the information is
confidential and the PHI may be contained in the body of the e-mail. A sample
disclosure is available under the Healthcare Provider Resources tab at
www.firsttransit.com
Computers, Workstations and Tablets
Your PC, workstation and tablet may contain a LOT of PHI.
Log off or lock your PC when you leave it.
Shield paperwork from others and put it away when youre not around.
Portable devices, such as laptops or flash drives, must be encrypted if
they have access to PHI transmitted from First Transit.
Be sure to fully wipe any hard drive or memory (whether in a PC, flash
drive or a scanner) prior to disposing or donating out of date systems.
Simply throwing them in the trash is not sufficient.
Tablets, phones and other smart devices may all contain PHI
Think about your business partners
In implementing safeguards to protect our riders protected health information, be
mindful of situations when the information flows to those outside of your company.
The following may have access to protected health information (and need to sign
special contractual confidentiality requirements) because of the services they
provide to you company:

Cloud-based software vendors


Overflow transportation providers
Janitorial/Maintenance
IT support
Document archiving or destruction services
Temporary staffing agencies
Translation services

First Transit realizes that accidents may happen. So, what you should do when
things go wrong?
Report the situation immediately to your First Transit manager or the First Transit
Compliance Officer.
HIPAA requires specific notification in the event unsecured (unencrypted) PHI has
been breached. A Breach is unauthorized acquisition, access, use or disclosure of
PHI which compromises the security or privacy of information.
-Business Associates must report all breaches to the Covered Entity
- Individuals must be notified when their information has been breached
- The Department of Health and Human Services must be notified of all breaches at
least once a year and immediately if a breach involves more than 500 individuals
- Notification to local news or media outlets may also be required

Examples of recent breaches include:


-

Theft of unencrypted laptops

Loss of unencrypted backup flash drives

Snooping employees checking records of friends, family members or


celebrities

Unshredded papers with PHI thrown out in regular trash bins

Leased printers were returned without first having their hard drives wiped

Firewalls left open making records accessible to public access

Per your contract with First Transit and your obligations under HIPAA, you must
immediately report any unauthorized access of riders PHI to First Transit
You must also report any Security Incident. A Security Incident is any suspected or
successful attempt that could compromise the security of a system, a network or
electronic version of our riders PHI
Examples of reportable occurrences
-

Mailing mishaps. Letters, emails or Faxes with PHI sent to the wrong recipient

Missing files or paperwork containing PHI

Missing or stolen computers or flash drives containing ePHI

Malware or viruses on systems with ePHI

Compromised passwords to systems with ePHI

Want more information about HIPAA? Try these resources

CMS

Office of Civil Rights

www.cms.hhs.gov/SecurityStandard/

www.hhs.gov/ocr/hippa/

US DHHS

www.hhs.gov