Privacy related power point presentation
ferhatevliyaoglu1
9 views
51 slides
Mar 08, 2025
Slide 1 of 51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
About This Presentation
originally
Slide Content
March 2022 1 Compliance Privacy and Security Awareness Training
This training course: Highlights the importance of information privacy and security. How health information, and the rights of the individuals to whom the information relates. How individually identifiable health information is protected under state and federal privacy laws. How to implement and adhere to Signify Health’s privacy and security policies and procedures in order to protect such information. 2 What is Privacy and Security Training?
Privacy What do we mean when we talk about ‘privacy’? Privacy includes the right of individuals to keep information about themselves from being disclosed to others. Information Security What do we mean when we talk about ‘information security’? Information Security is about our responsibility to keep information accurate, secure and safe from misuse and other harm. 3 Privacy and Information Security
HIPAA requires covered entities to establish and apply appropriate sanctions against members of their workforce who fail to comply with privacy policies and procedures. Signify Health has adopted disciplinary procedures and, in compliance with HIPAA, will consistently apply these measures to all members of its workforce. Violations of Signify Health’s privacy policies and procedures constitute grounds for disciplinary action up to and including termination, professional discipline, and criminal prosecution. Example: Seattle Cancer Care Alliance A Seattle Cancer Care Alliance employee accessed a patient’s medical record to obtain name, birth date and Social Security numbers. He used this information to fraudulently obtain four credit cards , charging almost $9,000 in the patient's name. He was charged and found guilty, with a sentence of 16-months in prison, and financial fines . The employee must reimburse the impacted credit card company(s) and the patient from whom he stole PHI. Employee sanctions and disciplinary measures 4 Why Does It Matter?
What is HIPAA? What is the HIPAA Privacy Rule? What identifiers created Protected Health Information? How to recognize situations in which Confidential and Protected Health Information can be mishandled Practical ways to protect the privacy and security of Sensitive Information Learning Objectives 5 Introduction: Privacy
HIPAA and its Rules 6 What is HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect a subset of Sensitive Information known as Protected Health Information (PHI). In 2009, HIPAA was expanded and strengthened by the HITECH Act (Health Information Technology for Economic and Clinical Health). This training module focuses on two primary HIPAA rules, as amended by HITECH: The HIPAA Privacy Rule The HIPAA Security Rule
A “covered entity” is any person or organization that furnishes, bills, or is paid for health care services in the normal course of business. Pursuant to HIPAA, individually identifiable health information collected or created by a covered entity is considered “Protected Health Information” or “PHI”. A “business associate” means an organization or person who performs functions or activities on behalf of, or certain services for, a covered entity that involves the use or disclosure of Protected Health Information. Depending on the circumstances, Signify Health is either a Business Associate or a Covered Entity. Therefore, Signify Health must comply with HIPAA requirements at all times. Covered Entities and Business Associates Have a Duty to Protect PHI 7 The HIPAA Privacy Rule
Any information, transmitted or maintained in any medium, including demographic information Created/received by a covered entity or business associate. Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare. Can be used to identify the patient. What is Protected Health Information (PHI) 8 The HIPAA Privacy Rule
Written documentation and all paper records. Spoken and verbal information including voicemail messages. Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device. Photographic images. Audio and video. Types of Data Protected by HIPAA 9 The HIPAA Privacy Rule
US Department of Health and Human Services defines protected health information (PHI) as individually information that falls into the following types of identifiers: Any of the following are considered identifiers under HIPAA 10 The HIPAA Privacy Rule
If a workforce member accesses or discloses PHI without a patient’s written authorization or without a job-related reason for doing so, the employee/provider violates Signify Health policy and HIPAA. A workforce member may only access or disclose a patient’s PHI when this access is part of the workforce member’s job duties and such access is in accordance with Signify Health policies and procedures. A covered entity or business associate must seek authorization for EVERY separate occasion in which it proposes to use or disclose PHI. Authorizations must: Be given in writing; Be linked to a specific purpose, and Be signed by the individual. Identify the people who might use the PHI, or to whom it might be disclosed, and Set an expiration date or even when it ceases to be valid. Access Must be Authorized 11 The HIPAA Privacy Rule
It is never acceptable for a workforce member to look at PHI “just out of curiosity”, even if no harm is intended (e.g., retrieving an address to send a ‘Get Well Soon’ card). It also makes no difference if the information relates to a “high profile” person or a close friend or family member ~ ALL information is entitled to the same protection and must be kept private. These rules apply to all members of the Signify Health workforce, including providers. HIPAA protections apply to a deceased person’s PHI for 50 years after they have died. Unauthorized Access 12 The HIPAA Privacy Rule
Lost, stolen or improperly disposed (e.g., paper or device upon which the information is recorded and cannot be accounted for). “Hacked” into by people or mechanized programs that are not authorized to have access (e.g., the system in which the information is located is compromised though a “worm”). Communicated or sent to others who have no official need to receive it (e.g., gossip about information learned from a medical record). Breaches 13 The HIPAA Privacy Rule “Somehow your medical records got faxed to a complete stranger. He has no idea what’s wrong with you either.” A breach occurs when information that, by law, must be protected is:
If it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual(s) or next of kin without unreasonable delay, but not later than 60 calendar days from discovering the breach. If more than 500 individuals are affected, the covered entity has additional obligations including the Department of Health and Human Services. As a Business Associate of our clients, Signify Health has a duty to immediately notify our clients, who may have to provide notification as described above, depending on the circumstances of the breach. Breach Notification Regulations 14 The HIPAA Privacy Rule
Part of your responsibility as a Signify Health workforce member is to report privacy breaches involving PHI to your supervisor AND one of the following: Signify Health’s Chief Privacy Officer, Tracey Scraba, via [email protected] Signify Health’s Chief Information Security Officer, Tim Williams via [email protected] Signify Health’s Chief Compliance Officer, Erin Kelly via [email protected] If you notice, hear, see or witness any activity that you think might be a breach of privacy or security, IMMEDIATELY notify the appropriate people as described above. It is much better to investigate and discover no breach than to wait and later discover that a breach DID occur. Workforce Members Must Report Breaches 15 The HIPAA Privacy Rule
Signify Health workforce members may not threaten or take any retaliatory action against an individual for exercising his/her rights under HIPAA or for filing a HIPAA report or complaint, including reporting a suspected privacy or security breach. No Retaliation 16 The HIPAA Privacy Rule
Wrongfully accessing or disclosing PHI. Fines up to $50k and up to 1 year in prison. Obtaining PHI under false pretenses. Fines up to $100k and up to 5 years in prison. Wrongfully using PHI for commercial activity. Fines up to $250k and up to 10 years in prison. HIPAA criminal and civil fines and penalties can be enforced against individuals as well as covered entities who obtain or disclose PHI without authorization. Department of Justice Criminal Penalties 17 The HIPAA Privacy Rule
Tier A: Did not realize violation and would have handled differently. Minimum per violation: $100 (each name in data set can be a violation); Maximum per calendar year $25k. Tier B: Violations due to reasonable cause, but not “willful neglect”. Minimum per violation: $1,000 (each name in data set can be a violation); Maximum per calendar year $50k. Tier C: Violations due to willful neglect that organization corrected. Minimum per violation: $10k; Maximum per calendar year $250k. Tier D: Violations due willful neglect that organization did not correct. Minimum per violation: $50k; Maximum per calendar year $1.5 Million. Federal Criminal Penalties 18 The HIPAA Privacy Rule
HHS is required to investigate and impose civil penalties where violations are due to willful neglect. Feds have 6 years from occurrence to initiate civil penalty action. State Attorney Generals can also pursue civil cases against individuals who violate the HIPAA privacy and security regulations. Federal Criminal Penalties (cont’d) 19 The HIPAA Privacy Rule
Affinity Health Plan, Inc., discovered and reported to HHC that it had returned lease photocopiers to the leasing agents without first erasing the data contained on the copier hard drives, including PHI. The breach was estimated to have affected 344,579 individuals. Following an investigation, Affinity entered into a settlement agreement with HHC providing for a $1.2 Million dollar payment and a corrective action plan (CAP). Example Enforcement Action 20 The HIPAA Privacy Rule Lessons Learned Copiers : Erase all data from hard drives. Faxes : Confirm authorization; verify telephone numbers before faxing, use pre-programmed numbers when possible. Devices : Encrypt; enable and use password protection.
The HIPAA Privacy Rule states that PHI may be used and disclosed to facilitate treatment, payment and healthcare operations (TPO) which means: PHI may be disclosed to other providers for treatment. PHI may be disclosed to other entities for treatment. PHI may be disclosed to other covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing and compliance. PHI may be disclosed to individuals involved in patient’s care or payment for care unless the patient objects. PHI may be disclosed by a business associate to the covered entity for whom the business associate is performing services. HIPAA Permitted Disclosures of PHI 21 The HIPAA Privacy Rule
When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure. The only exception to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons: Treatment. Purposes for which an authorization is signed. Disclosures required by law. Sharing information to the patient about him/herself. Minimum Necessary Standard 22 The HIPAA Privacy Rule
Avoid conversations involving PHI in public or common areas (e.g., hallways, elevators, etc.). Keep documents containing PHI in locked cabinets or locked rooms when not in use. Do not leave materials containing PHI on desks or counters, in conference rooms, or in other public areas. Do not remove PHI in any form (electronic, hard copy) or in any manner (e.g., email, fax, carry, etc.) from the designated work site unless authorized to do so by management. Never record conversations while in our call centers or while visiting members. Other Privacy Safeguards 23 The HIPAA Privacy Rule
Signify Health workforce members must report the loss or theft of any PHI or Signify Health devices (e.g., laptop or iPad). The report must be submitted immediately to the Signify Health help desk ( [email protected] ). Example Massachusetts Eye and Ear Infirmary agreed to pay HHS $1.5 Million for HIPAA violations resulting from the theft of an unencrypted laptop containing PHI of patients and research subjects. HHS’s investigation determined that the Infirmary failed to take necessary steps to ensure the confidentiality and security of PHI created, maintained, and transmitted using portable devices. Reporting Loss or Theft of PHI and Signify Health Devices 24 The HIPAA Privacy Rule
In most instances, Signify Health is a Business Associate to our customers, and our customers are the covered entities. As a Business Associate, Signify Health is directly liable for compliance with the HIPAA Privacy and Security requirements and must: Enter into a Business Associate Agreement (BAA) with the covered entity (customer). Use appropriate safeguards to prevent the access, use or disclosure of PHI other than as permitted by our customer contract and BAA with the covered entity. Impose these same obligations on any subcontractor with whom we share PHI or who may receive PHI on our behalf. Promptly notify the covered entity (our customer) of any breach of unsecured PHI. Ensure that our workforce members receive HIPAA training and that our subcontractors who use, receive, collect or access PHI on our behalf provide HIPAA training to their employees. Signify Health as a Business Associate 25 The HIPAA Privacy Rule
Any time Signify Health contracts with an entity (“Subcontractor”) to perform services on behalf of Signify Health and Signify Health will be disclosing PHI to the subcontractor or the subcontractor will be collecting PHI on behalf of Signify Health, Signify Health must have a Business Associate Agreement (BAA) with the subcontractor. Signify Health cannot disclose PHI to a subcontractor or any person or entity, other than a client, without: A BAA in place; or The General Counsel’s approval. Business Associates of Signify Health 26 The HIPAA Privacy Rule
Sensitive information exists in many forms: printed, spoken and electronic. Sensitive information includes Social Security numbers, personnel information, computer passwords and PHI. There are a number of state and federal laws that impose privacy and security requirements, including HIPAA. Two primary HIPAA regulations are the Privacy Rule and the Security Rule. When used to identify a patient and when combined with health information, HIPAA identifiers create PHI. Signify Health may use or share only the minimum necessary information to perform its duties. A contractor providing services involving PHI is called a Business Associate. A covered entity and business associate must enter into a Business Associate Agreement (BAA). Lesson Review 27 The HIPAA Privacy Rule
A Business Associate must enter into a BAA with any of its subcontractors who will collect PHI on the Business Associate’s behalf or with whom the Business Associate will share PHI. Business Associates are directly liable for HIPAA compliance and must ensure that their employees and subcontractors receive HIPAA training and employ appropriate safeguards for PHI. Reports of privacy incidents should be directed to [email protected] or to: Chief Privacy Officer : Tracey Scraba [email protected] Lesson Review (cont’d) 28 The HIPAA Privacy Rule
Why is this training Mandatory. Physical and Workstation Security. Password and Email. Internet Usage/Computer Threats. Learning Objectives 29 Introduction: Security Awareness
The HIPAA Security Rule operationalizes the protections contained in the HIPAA Privacy Rule , by addressing the technical and non-technical safeguards that covered entities must put in place to secure individuals’ “electronic protected health information ” (e-PHI). Each individual at Signify Health is legally responsible for adhering to this rule. HIPAA Security Rule 30 Security Awareness
Because you are a workforce member who has access to computer equipment or software containing protected health information related to Signify Health and Signify Health’s clients, the HIPAA Security Rule requires that you participate in HIPAA Security Awareness training to learn about basic procedures to protect that information. Following Signify’s electronic security procedures is important, as these procedures support: Confidentiality – only the appropriate people see the information. Integrity – the information has not been altered, to include unauthorized destruction. Availability – Information should be consistently and readily accessible for authorized parties. Why is HIPAA Security Awareness Training Mandatory? 31 Security Awareness
This training is designed for: Signify Health employees, contractors and vendors. Any individual or entity with access to a Signify Health computing system. Any individual or entity with access to Signify health data. Security Awareness is Everyone’s Responsibility 32 Security Awareness
Information Security, is only effective if we control physical access to the data or systems. Workspace access is limited to authorized individuals. Visitors and vendors must sign-in and out to create a record of their visit. Escort them from arrival to departure. Each employee receives an access badge that is programmed to meet the necessary access requirements for each employee. Each person must swipe their badge when entering a controlled area. No piggybacking . If you see anyone in a Signify Health office without the appropriate badge, immediately notify your Manager. Physical Security 33 Physical and Workstation Security
Being an employee, vendor or contractor does not warrant access to all Signify workspaces. For example, inventory, telecom and server rooms are restricted to authorized individuals. Immediately report the following situations to your manager: You observe a secured space where a door has been propped open and left unattended. You see or hear of potential access by unauthorized individuals. Prohibited and Designated Areas 34 Physical and Workstation Security
Signify Health leverages a variety of safeguards to protect computing assets with access to non-public information. This includes restricting access to these devices, to ensure they are only available to specifically authorized users. Furthermore, all user activities will be monitored and recorded (websites visited, file and system access, etc.). To protect Signify information, we need your help! Only send non-public information via email when specifically authorized. When emailing, encrypt all sensitive information by putting the following tag in your email subject line, like this: Email Subject: [Encrypt] Patient Data You Requested Report any suspicious emails or requests to [email protected] , or by sending to the Service Desk. Just because a phone call or email claims to be from a partner or Signify employee, doesn’t mean they are! Always verify a person is who they claim, before providing any information. Workstation/Laptop Security 35 Physical and Workstation Security
Lock your computer every time you leave your desk. Use your workstation for authorized business purposes only. Under NO circumstances should passwords be shared. Comply with all password policies and procedures. Never install unauthorized software on your workstation. Make sure that all protected information is stored in an authorized network share or secure location. Weekly, connect and stay logged in to the Virtual Private Network (VPN), to obtain critical computer updates and patches. Confidential company information should not be stored or transferred on a personal device without express permission from Signify Health’s Chief Information Security Officer (CISO). If travelling internationally, contact the Service Desk at least several weeks in advance, as you will be issued a specially-configured laptop for security purposes. Steps to a Secure Workstation 36 Physical and Workstation Security
Employees are authorized to use a personal cell phone to manage email and Slack communication. However, these devices may not be used to process any ePHI or PII data. Using a personal device to take pictures, video or other recordings is prohibited in Signify Health workspaces, or while conducting work on behalf of Signify Health. Any exception must receive advance, written authorization from Signify management. Signify Health policies pertaining to harassment, discrimination, retaliation, trade secrets, confidential information and ethics apply to employees, regardless of whether such activity occurs on a work or personal device. Bring Your Own Device (BYOD) Acceptable Usage 37 Physical and Workstation Security
To ensure the security of Signify Health information, authorized employees may be required to: Install anti-virus software on their device. Install and maintain a Signify Health issued mobile devices management (MDM) software program. Encrypt the device. Ensure any backups of the data are also encrypted (e.g., in Apple Cloud). Set a screen lock, password or biometric protection that only the employee knows. Employers may not use cloud-based apps or backups that allow company-related data to be transferred to unsecure parties. Due to security issues, personal devices may not be synchronized with other devices in employees’ homes. BYOD Acceptable Usage (cont’d) 38 Physical and Workstation Security
Internet usage is intended and made available for business purposes. The following categories of internet sites should not be viewed under any circumstances: Adult/Sexually explicit material. Chat and instant messaging. Gambling. Illegal drugs. Peer to peer file sharing. Spyware. Discriminatory, unprofessional, tasteless or offensive or harassing content. Visiting Internet Sites 39 Physical and Workstation Security
Be careful about providing personal or sensitive information to an internet site. Be aware that you can get viruses from malicious web sites, emails, or even unauthorized instant messaging services. A Virus can install itself on your computer in many different ways. Security breach. Unauthorized access. Email attachments or links. Web sites. Internet Activities 40 Physical and Workstation Security
Secure Workspace: Do not discuss or leave critical information in the open, or areas where unauthorized individuals could overhear or see the information. Recordings are not for HIPAA: Do not discuss Covered Information when leaving voicemails. Consider your Surroundings : Do not discuss Sensitive or Covered Information in areas where it could be overhead by unauthorized individuals. Secure Communications : Don’t discuss Covered Information while using mobile phones. Wireless transmissions are not secure and can easily be intercepted, listened to, or recorded by unauthorized parties. Who is on the Other End? Think about who you are calling. Are they in a quiet place, that is safe for them to discuss this information? Ask the recipient if this is an acceptable time to discuss Covered Information, and if they can freely discuss. Consider Where you are Storing Information: Avoid registering demographic data in unauthorized locations. Only use authorized Signify applications or systems to record sensitive information. Information Safeguards 41 Information Protection
Software shall not be installed on company issued devices, without proper authorization and documentation (E.g., Service Desk Ticket, JIRA ticket. Unauthorized Software or Hardware will be treated as a possible security incident. Do not install unauthorized software. Any hardware device that is installed on the Signify network or connected to a Signify issued device, must be purchased and managed by the Technology department. USB Devices and Mobile Hard Drives are prohibited on Signify managed systems. Protect the Network 42 Unauthorized Software
Be aware of suspicious callers asking for confidential information over the phone. Do not give out any confidential information over the phone without first verifying the authorization to do so. Do not let anyone into the secure areas of our office without an employee, visitor or vendor badge. Visitors should be directed to the reception area. Do not open any emails that you believe may be phishing. If you feel that you may have been thwarted or victimized by social engineering, immediately report the incident to the Service Desk. Example – Social Engineering 43 Physical and Workstation Security
Unintentional Insider Threats These users aren’t malicious on purpose. May be negligent or sloppy about security. E.g., writing their password on paper, losing a laptop, or opening malicious email attachments. Usually poorly trained. Fall victim to social engineering as a repeat occurrence. Malicious Users Criminal agents who pose as legitimate employees. Disgruntled employees looking to retaliate against an employer. Employees planning on starting a competitive business. Legitimate employees tempted to “beat the system” (abuse their privileges). Employees who want to blackmail an organization for financial and political reasons. Employees looking to make money on the side (sell personal information on the black market). Compromised legitimate employees (that are being blackmailed). Tech-savvy employees who like the challenge of breaching the system. Insider Threats 44 Physical and Workstation Security
Phishing is a way of attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an email Controlling user access. Communications claiming to be from popular social web sites, auction sites, online payment processors or Technology administrators are commonly used to lure the unsuspecting workforce. Phishing is typically carried out by email spoofing and it often directs users to enter details at a fake website which look and feel like a legitimate site. Any electronic communications that you suspect to be phishing should be immediately reported to the Service Desk, or send to [email protected] . Example – Phishing 45 Physical and Workstation Security
Identify Theft is a crime in which an impostor obtains key pieces of Personal Identifying Information (PII) such as Social Security Numbers and driver’s license numbers and uses them for their own personal gain. How does it happen? Stolen wallet, driver’s license, ID, credit card, debit card, check, banking statement, insurance card, vehicle registration card, frequent flyer card. Pilfered mail. Computer virus. Phishing and social engineering. Links to fraudulent websites. Email, phone call or mailed letter. Social networking account. License plate. Health records. Financial data. Company maintained data. Example – Identity Theft 46 Physical and Workstation Security
How do identity thieves find their victims? Phishing – An attempt to “hook” you into revealing your personal and confidential information by sending emails that appear to come from a legitimate business. Spam – unwelcome email and instant messages which may offer goods of little or no value or a promise of financial rewards if you give the sender money. Malware – malicious software (spyware, Trojans, viruses and worms) that can be remotely installed on your computer, making it possible for the person in control of the software to steal, damage or delete your files or other data. Malicious websites – harmful sites that lure users by promising content on popular breaking news stories, offers from retailers or other desired information. Insecure Transactions – sites that don’t have secure payment forms or companies that store debit and credit card information without proper safeguards, thereby giving identity thieves the opportunity to intercept your personal information. Social networking – revealing too much personal information on your online profiles, agreeing to meet online contacts in person, or sites that compromise your data. Example – Identity Theft (cont’d) 47 Physical and Workstation Security
Signify Health Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. Any Signify Health employee, contractor, consultant, vendor or business associate that suspects any adverse event, such as unauthorized use of system privileges or unauthorized access to sensitive data, must notify the Service Desk or [email protected] . For computer specific incidents, such as potential execution of malware that attempts to destroy data, notify the Service Desk or [email protected] . Sanctions may be applied to Signify Health employees for violating information security policies. Security Incidents 48 Physical and Workstation Security
Throughout Signify Health office buildings, there are perimeter alarms to alert business of fire or other emergencies. The Facilities department will be notified by building personnel regarding any emergencies. However, if an alarm sounds, all employees must proceed to the nearest stairwell towards the first floor. Example – Perimeter Alarms 49 Physical and Workstation Security
Be aware of Signify Health’s policies relating to system and office security. Do not give confidential information out to an unknown or unverified individual. Immediately report any misuse of company systems or breaches. We are all responsible for protecting non-public data and computing assets. Report Security Incidents to the Service Desk or [email protected] . Summary 50 Privacy and Security Awareness
Please contact the following with questions: Chief Privacy Officer Tracey Scraba , via [email protected] . Chief Information Security Officer Tim Williams via [email protected] . Chief Compliance Officer Erin Kelly via [email protected] . Contacts 51 Privacy and Security Awareness
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 9
- Slides 51
- Age 268 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views