Office of Compliance Programs
HIPAA Privacy Training for Non-Clinical Workforce
Revised: January 22, 2018
HIPAA Privacy Workforce Training
The Health Insurance Portability & Accountability Act (HIPAA)
requires that the University train all workforce members (faculty,
staff, residents and students) about the University's HIPAA policies
and those specific HIPAA required procedures that may affect the work
you do for the University.
This presentation provides a brief summary of the HIPAA Privacy
Rule. It lists basic principles that all LSUHSC-NO faculty, staff,
residents and students must understand and follow.
The HIPAA Privacy Rule (thumbnail sketch)
A covered entity (e.g. LSUHSC-NO and its faculty, staff and
students) may not use or disclose protected health information
patient without that patient's written authorization unless the use or disclosure falls under
one of the exceptions.
What is PHI?
PHI consists of two parts:
- Information that personally identifies the the patient (an
- Any information, including genetic information, whether oral or
recorded in any form or medium, that:
- Is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or university,
or health care clearinghouse; and
- Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual.
What is an identifier?
- Patient name
- Date of birth
- Genetic information
- Social Security number
- Driver’s license number
- Phone and fax numbers
- Mailing address
- Email address
- Hospital account number
- Medical record number
- Insurance identification number
- Medicare/Medicaid ID numbers
- Certificate/License numbers
- Device identifiers and serial numbers
- Vehicle identifiers and serial numbers
- Photographs, video or other images where the patient's face is
- Biometric identifiers
- Any other unique identifying number, characteristic, or code,
that could be used alone or in combination with other information to
identify an individual who is a subject of the information.
PHI does not include:
- Information on individuals who have been dead more than 50 years
- Student health records
- Health information LSUHSC-NO keeps in its role as an employer
(e.g. occupational health and safety information)
- De-identified information
PHI can appear in any medium including but not limited to:
- Spoken (conversations, telephone calls, etc.)
- Written (invoices, photocopies, etc.)
- Electronic (emails, databases, spreadsheets, billing systems,
electronic health records, etc.)
Uses and disclosures that do not require and authorization include
but are not limited to:
- To the individual
- For treatment purposes
- For payment purposes
- For healthcare operations (e.g. quality improvement activities,
training,legal services, audits, etc.)
- To the Secretary of the Department of Health and Human Services
There are other exceptions. If you have a concern regarding whether
a particular use or disclosure requires an authorization from the
patient, contact the LSUHSC-NO Privacy Officer at (504) 568-5135 or via
Protecting Patient Privacy
- Treat all information as you would want information about you or
your family member treated.
- Do not discuss confidential patient information in areas where it
is likely to be overheard such as elevators, hallways, cafeteria,
restrooms, or other public places, etc.
- Shred documents and disks with PHI before discarding.
- Do not allow unauthorized visitors or patients in staff areas,
dictating rooms, chart storage areas, etc.
- Do not discuss patient information with your family, friends, or
people in your facility who are not directly involved in the patient's
treatment, payment, or operations.
- Do not share your passwords with anyone.
- Set an idle time-out on your local workstation.
- Always log off of your computer when you leave your work area.
- Do not leave charts, schedules, or open documents on computer
screens that may contain patient information in plain view.
- Conduct telephone conversations or dictation regarding
confidential patient information in a discreet manner where it cannot
- Access only the information you are officially authorized to
- When scrapping or surplusing computer equipment, make sure
I.T. erases all the information from any storage devices (e.g. hard
drives, solid state drives, flash drives, printers with storage
- Each of us only has authorization to access PHI based on a need
to know basis for the purpose of fulfilling our job responsibilities.
Unfortunately, some take advantage of various sources of PHI to satisfy
curiosity or other motives.
- LSUHSC-NO faculty, staff and students may find themselves working
and/or training in facilities that use electronic systems containing
that are shared by multiple, independent health care providers. In
such cases, an individual must be granted permission to access the
electronic record in writing by the facility that owns the record, in
addition to having a job related need to view the information before
accessing the electronic record. Each record access is logged and logs
are regularly checked for instances of unauthorized access.
- No matter why an employee or physician accesses PHI, if there is
not a job specific reason to do so, the access is prohibited by
hospital policy, LSU policy, and HIPAA regulations.
- This includes access to family members' information, including
spouses, parents, adult children, siblings, significant others,
Any such unauthorized
access would be a direct violation of LSUHSC-NO policy and HIPAA
regulations. Such action would expose the violator not only to
disciplinary action, but also to possible legal action.
LSUHSC-NO Privacy Policies
The HIPAA Privacy Policies and Procedures are contained in Chancellor’s
Memorandum 53. Also, all HIPAA forms (e.g. Notice of Privacy
Practices, HIPAA Authorization, Research Authorization, etc.) can be
found at this link.
What is a Breach?
A breach of PHI is the unauthorized access, use, or disclosure of
PHI that compromises the security of that information.
Any unauthorized access, use, or disclosure of PHI should be
reported immediately to the Compliance/Privacy Officer in the Office of
Compliance Programs at LSUHSC-NO.
Compliance will conduct a risk assessment to determine if the use
and/or disclosure must be reported to the patient and the U.S.
Department of Health and Human Services.
Things to Remember about Breaches
- Breaches Happen!!
- Breaches can be deliberate or accidental.
- You can report them anonymously.
- Timely notification of any known Breach is CRITICAL as we only
have 60 days from the time an employee discovers the Breach to take the
action required by the HIPAA Breach Notification Rule.
- If you are unsure whether or not an incident is a breach, call
the Compliance Office.
Some Examples of a Breach of PHI include, but are not limited to:
- PHI from discarded paper documents, computer hard drives, flash
drives, backup tapes and optical disks.
- PHI included in emails sent to the wrong recipient or PHI
inappropriately attached to an email.
- PHI stolen and sold for monetary gain
- PHI obtained and disclosed by hackers.
- PHI contained in lost or stolen paper documents, laptops, flash
drives, backup tapes or optical disks.
- PHI that is disclosed due to the actions of a computer virus.
- PHI inappropriately posted or to which access is provided on a
If anyone suspects or knows of mishandling or misuse of patient PHI,
a complaint can be made to:
- The LSUHSC-NO Privacy Officer
- The Office of Compliance Programs
- The Office of Civil Rights of Department Health and Human
- The appropriate Privacy Officer at the institution if other than
How to Report a HIPAA Violation
- Contact the LSUHSC-NO Privacy Officer or the Office of
Compliance Programs via:
- Office Phone: (504) 568-5135
- Anonymous reporting hotline: (504) 568-2347 or,
- Contact the Privacy Officer or the Compliance department at the
hospital/facility where you work.
The HHS Office of Civil Rights shall assess penalties ranging from
$100 per violation up to $1.5 million per violation.
Please note that inappropriate use and or disclosure of information
on each patient is a separate violation.
In addition, LSUHSC-NO may take disciplinary action up to and
including termination of employment or, if a student, expulsion from
Individuals and health care providers (hospitals, etc.) can also
face civil and criminal prosecution, depending on the facts of the
- HIPAA provides for the rights of patients in relation to their
Protected Health information. It also provides for the privacy and
security of that information.
- It is everyone’s responsibility to protect PHI.
- Violations of any of the HIPAA regulations may result in fines
from the federal government. Violations of HIPAA privacy regulations
can also include civil and even criminal penalties.
- Report breaches of PHI to Compliance immediately.
- If you are found to be deliberately accessing PHI for reasons
other than related to performing your job, you will face disciplinary
action, up to and including termination your employment or student
- Be familiar with the HIPAA Privacy policies wherever you work as
they differ from institution to institution.
Office of Civil Rights HIPAA webpage.
Office of Compliance Programs
433 Bolivar St.
New Orleans, LA. 70112