This document outlines the objectives and key points of a privacy and information security awareness course. It discusses laws governing protected health information, such as HIPAA and HITECH. Sensitive information that must be protected includes PHI and PII. Individual responsibilities include maintaining integrity, confidentiality, and availability of information. Incidents like unauthorized access or discussion of sensitive data should be reported. Failure to comply with privacy laws can result in civil or criminal penalties such as fines and imprisonment.
1. PRIVACY & INFORMATION SECURITY AWARNESS
Ashford University
MHA 690: Health Care Capstone
Dr. Sherry Grover
May 23, 2013
2. Course Objectives
Knowledge about the laws that governs the privacy
and protection of identifiable health information
Recognize the types of information that must be kept
private
Recognize your responsibilities to protect privacy
when dealing with sensitive information
How to protect the privacy of identifiable health
information
Examples of incidents to report
Knowledge of the process for reporting incidents and
penalties of non-compliance
3. Laws and Regulations
Privacy Act of 1974 – Governs the collection, use and distribution o
a person’s identifiable information kept in a system of record
Health Insurance Portability & Accountability Act (HIPPA)- law th
protects the privacy of ones person’s personal health information
Federal Information Security Management Act (FISMA) – law that
requires a risk assessment program, policies and procedures,
evaluation of security controls, and provide training of information
security to all employees
Health Information Technology for Economic and Clinical Health
Act (HITECH) – requires patients to be notified of security breach,
funds the adoption of health information technology for organization
and enforces HIPPA violation penalties
4. What to Protect
Sensitive information includes both our organizational
business information and patients’ private information.
Violations can be accidental or purposefully. Do not
disclose, modify, or destroy any sensitive information
unless you are authorized to do so. Sensitive information
includes:
Protected Health Information (PHI)
Personal Identifiable Information
Internal Business Information
5. Your Responsibilities to Protect It
Information security will be maintained when
you ensure the following:
Integrity – information is secure and
protected from being damaged or altered
Confidentiality – information is kept
private and not disclosed to those who do not
have permission to view it
Availability – access to information systems
and networks are available to those who have
been granted permission
6. How to Protect It
Follow the policies and procedures
Only access and view information that is
needed for you to do your job
Use encrypted email
Do not place sensitive information in
trash receptacles
Do not discuss sensitive information in
public places
8. Examples of Incidents
Observing someone access records that
he/she should not
Observing someone change or delete
records without proper permission
Finding a device with sensitive
information
Hearing a persons discussing sensitive
information to an unauthorized person
Accessing mail or email that you should
not access
9. Examples of Incidents
Observing someone access records that
he/she should not
Observing someone change or delete
records without proper permission
Finding a device with sensitive
information
Hearing a persons discussing sensitive
information to an unauthorized person
Accessing mail or email that you should
not access
10. How to Report an Incident
Immediately notify your supervisor and ISO of:
Person (s) involved
The time of the incident
What information was shared
If the incident is after hours or weekends, you can
call the Helpdesk @ 800-877-4327.
11. Consequences
Suspension of access to information systems
Disciplinary actions in your personnel file
Suspension or job loss
Civil or criminal prosecution
Fines and/or imprisonment
12. Civil and Criminal Penalties
Destroy records without being authorized -
$2000 in fines & 3 years in prison
Violation of the Privacy Act - $5000 & 1 year in
prison per occurrence
Intentional incident - $250,000 fines & 10 years
in prison
13. References
All images were from http://www.dreamstime.com/free-photos-
images/flowers.html
Privacy and Information Security Awareness. Retrieved from:
https://www.tms.va.gov
Velez, J. (2003). Hippa privacy compliance implications and
solutions. Caribbean Business.