Office of Compliance Programs
Revised: January 22, 2018
HIPAA Privacy Workforce Training
The Health Insurance
Portability & Accountability Act (HIPAA) requires that the
University train all workforce members (faculty, staff, residents,
students, volunteers and contractors) about the University’s HIPAA
policies and those specific HIPAA required procedures that may affect
the work you do for the University.
This presentation provides a summary of the HIPAA Privacy
It defines basic terms and lists basic principles that all LSUHSC-NO
faculty, staff, residents and students, who deal with patient information on a regular basis, must understand and follow.
Important HIPAA Privacy Terms
- Privacy: is the right of
individual to be informed of and provide input on uses and disclosures
of his/her individual personal or health information.
- Use: means the sharing,
utilization, or examination of Protected
Health Information (PHI) within or by employees or students of
- Disclosure: means the
release, transfer, or provision of access
- Authorization: the
mechanism for obtaining permission from a
for the use and disclosure of their personal health information to an
outside agency that does not qualify under one of the exceptions in the
- Minimum Necessary: limits
the use, disclosures, and the requests
PHI to the minimum necessary to accomplish the specific purpose of the
task at hand.
- Breach: is the
unauthorized access, use, or disclosure of PHI
compromises the security or privacy of that information.
This Training Program will Help YOU Understand…
- Who.......has to follow
- How.......does HIPAA
you and your job?
- Where….can you get help
- In 1972, Democratic presidential nominee, George McGovern
Senator Thomas Eagleton, (D-MO) as his vice-presidential running
mate. Shortly thereafter, despite a long established principle of
doctor-patient confidentiality, information about Senator Eagleton’s
treatment for depression, including electro-convulsive therapy, was
released to the press.
- As a result of the outcry about someone who had undergone
therapy being “a heartbeat away from having his finger on the (nuclear) button”, Eagleton withdrew
from the race.
- No one was ever prosecuted for releasing Senator Eagleton’s
information without his consent.
What Does HIPAA Do?
HIPAA is the Health Insurance Portability and Accountability Act, a federal law that…
- protects the privacy and
confidentiality of a patient’s personal
and health information.
- provides for electronic and physical security of personal and
- simplifies billing and other transactions.
The Purpose of HIPAA?
To protect and enhance the rights of consumers by providing them
- access to their health information.
- control of the inappropriate use of that information.
The Rule’s goal is to maintain the trust in the health care system
and improve the quality, efficiency and effectiveness of health care
Promotes the balance of:
- the use of an individual’s health care information to advance
economically prudent health care while protecting the privacy of the
individual seeking medical care and treatment.
The HIPAA Privacy Rule in a nutshell
A covered entity (e.g. LSUHSC-NO and its faculty, staff and
students) may not use or disclose protected health information
patient without that patient's written authorization unless the use or disclosure falls under
one of the exceptions.
An Overview of the Law
Click on image for expanded view.
HIPAA is the FLOOR
- The HIPAA Privacy regulations set the minimum
for protecting the privacy of the Protected Health Information (PHI) of
patients, and do not supersede any state, local rules or regulations,
or standards that are more stringent.
- It is important to familiarize yourself with any state and/or
laws and regulations that may be more stringent than HIPAA.
Training Methods Offered at LSUHSC-NO
- Online Training (KDS)
- Presentation/Classroom training
- Informational packets (Self-Study) for users who do not have
- Reciprocal training is HIPAA training received from another
is similar enough in content to LSUHSC training to receive credit
HIPAA Provides for the Following:
- Implementation of administrative, technical, and physical
ensure privacy of patient Protected Health Information (PHI).
- Policies and procedures for the protection of health information
individual patient rights.
- Mandatory faculty, staff, resident and student education on
policies and practices.
- Complaint process that accepts, records, and investigates patient
complaints about the entity's privacy practices.
- Designation of a Privacy Official.
Who is Impacted?
The organizations covered by HIPAA are defined as “covered entities.”
A “covered entity” can be any of the following:
- Health care providers who bill electronically
- Health plans
- Health care clearinghouses
LSUHSC-NO, as a health care provider, is a “covered entity” under
This means that the university must abide by the requirements of the
HIPAA Privacy Rule.
Who Has to Follow the HIPAA Law?
All faculty, staff and students must comply with HIPAA.
What is Protected Health Information (PHI)?
PHI consists of two parts:
- Information that personally identifies the the patient (an
- Any information, including genetic information, whether oral or
recorded in any form or medium, that:
- Is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or university,
or health care clearinghouse; and
- Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual.
Examples of Patient Identifiers
- Patient name or any part of the name (first, last, initials,
- All elements of Dates (e.g. Date of birth, Date of admission,
discharge, Date of appointment, Date of encounter, etc.)
- Social Security number
- Driver’s license number
- Phone and fax numbers
- Mailing address
- Email address
- Hospital account number
- Medical record number
- Insurance identification number
- Medicare/Medicaid ID numbers
- Certificate/License numbers
- Device identifiers and serial numbers
- Vehicle identifiers and serial numbers
- Pictures that identify a patient as a patient
- Biometric identifiers, etc.
- Any information which combined with other readily available
would identify the individual. (e.g. parent’s name)
Examples of What PHI is NOT…
- Company proprietary information:
- Business plans and strategy
- Pricing strategies
- Operating costs
- Health Information kept by an Employer:
- Medical Information
- Workman’s compensation records
- OSHA required records
- Information regarding a person who has been deceased for more than
- Student health records
Use and Disclosure of PHI
LSUHSC-NO faculty, staff and students may not use or disclose PHI
without a patient’s written authorization unless the use or disclosure
qualifies for one of the exceptions in the HIPAA regulations.
Common Disclosures of PHI Allowed WITHOUT a HIPAA
- for Treatment, Payment, and Operations (TPO).
- for Other Activities, including but not limited to:
- Medical Staff activities
- Business and Management Operations
- Disclosures required by Law
- Public Health and other Governmental reporting
- Click here to view the list of Common PHI
Disclosures made without a written authorization.
Treatment, Payment, and Health Care Operations (TPO) Defined
- Treatment: includes various activities related to patient care.
Some examples include:
- A primary care provider may send a copy of an individual’s
medical record to a specialist who needs the information to treat the
- A hospital may send a patient’s health care instructions to a
nursing home to which the patient is transferred.
- Two health care providers discussing a patient’s condition to
develop a treatment plan.
- Payment: includes activities related to obtaining payment for
health care. Some examples include:
- A physician may send an individual’s health plan coverage
information to a laboratory who needs the information to bill for
- A hospital emergency department may give a patient’s payment
information to an ambulance provider to bill for its treatment.
- Health Care Operations: generally means the business operations
of health care providers. Some Examples include:
- Contacting of health care providers or patients with
information about treatment alternatives.
- Case management and care coordination.
- Clinical education.
- Activities relating to improving public health or reducing
health care cost.
- Conducting quality assessment improvement activities including
outcomes evaluations and development of clinical guidelines.
- Protocol development.
- Conducting or arranging for medial review, legal, and auditing
services, including fraud and abuse detection and compliance programs.
- Click here to view LSUHSC-NO's Policy on Treatment, Payment,
Use and Disclosure Exception:
- Use and Disclosure restrictions do NOT apply to De-identified
- De-identified health information neither identifies nor provides
a reasonable basis to identify an individual.
What is a HIPAA Authorization Form?
- A HIPAA Authorization form, is a form, signed by the patient,
required for disclosures of PHI to entities outside LSUHSC-NO.
- A HIPAA Authorization form is REQUIRED when a patient requests a
of his or her PHI to be disclosed to a third party except in certain
Examples of when a HIPAA Authorization is Required include, but are
- When a patient requests a copy of his or her PHI to be disclosed
- Release of records to an attorney.
- Release of records to a family member when the patient is over 18.
- Release of patient information to a research study sponsor.
- When in doubt, get an authorization. It is better to obtain a
authorization and not need it than to need the authorization and not
An authorization is considered invalid if the document has any of
- Expiration date has passed or the expiration event is known to
- The authorization is missing one or more core elements of a valid
- The authorization is known to have been revoked.
- The authorization violates a privacy rule standard on
- Any information recorded on the authorization is known to be
HIPAA Privacy regulations require very specific language be
authorization documents. For that reason, only the HIPAA authorization
forms available on the LSUHSC-NO's policy web pages or the
authorization forms approved by the health care facility where you are
working may be used to obtain a patient’s authorization to use or
disclose their PHI.
Use of any other form will result in an Invalid Authorization and a
Breach of PHI.
Who Has Access to PHI?
The “Need to Know” Principles
PHI should be shared with as few individuals
as needed to ensure
patient care and then only to the extent demanded by the individual’s
The “Need to Know”
- Is the information needed for you to do your job?
- How much do you need to know?
- How much do other people need to know?
- The key is to balance the privacy of health information against
need for the information.
How Does “Need to Know” Translate into HIPAA?
HIPAA requires use of the Minimum Necessary concept:
- Use only the minimum necessary amount of information needed to
- Disclose only the minimum necessary amount of information needed
fulfill a request.
TREATMENT is an EXCEPTION!
Never provide more information than what is needed!!
Minimum Necessary Rule (Exceptions)
The Minimum Necessary requirement does NOT
apply in the following
- Disclosures to or requests by a health care entity for the
treating the patient.
- Uses or disclosures made to the individual who is the subject of
- Uses or disclosures made pursuant to a valid HIPAA authorization
initiated by the individual.
- Uses or disclosures that are required by law. (However,
limited by the law’s requirements.)
- Uses or disclosures required for compliance under HIPAA,
compliance with the implementation specifications for conducting
standard data transactions.
HIPAA Requires the University To:
Provide a copy of LSUHSC-NO’s Notice of Privacy Practices (NPP) Brochure
when a patient First Visits an LSUHSC-NO clinic that describes:
- How the university can use and share his or her protected health
- A patient’s privacy rights.
Ask the patient to sign a written acknowledgment that he/she received
the Notice of Privacy Practices.
Post the NPP at the location (ex. in the patient waiting room) and
the location’s website. (Contact the Office of Compliance Programs for
HIPAA Provides for specific Patient Rights, which
Inspect and Copy their PHI;
to receive an electronic copy of their PHI if the PHI is already in an
to request an Amendment to their PHI;
- Right to receive Confidential
Communications at an Alternative address or phone;
to request Restrictions on certain uses and disclosures;
- Right to request an Accounting of
Disclosures of their PHI;
- Right to opt-out of a
to make a complaint about a suspected privacy breach.
Right to Access
- Patients have the Right to Access and Copy their PHI.
- Patients have the right to receive their PHI in the format of
choice. (e.g. photocopy or digital).
Right to Request Amendment and Restrict Disclosure
If a patient requests an Amendment or Restriction of the PHI
in their medical record, the health care provider must reference the
LSUHSC-NO Privacy Officer.
LSUHSC-NO must agree to the request of an individual to restrict
disclosure of PHI about the individual to a health plan if:
- The disclosure is for the purpose of carrying out payment or
care operations and is not otherwise required by law, and,
- The PHI pertains solely to a health care item or service for
individual or person other than the health plan on behalf of the
individual has paid LSUHSC-NO in full.
Right to an Accounting of Disclosures
A patient has the right to receive an accounting of certain types of
disclosures of Protected Health Information made by LSUHSC-NO for up to
six (6) years prior to the date on which the accounting is requested.
This includes any disclosures for reasons other than treatment, payment
Where Can I find The Privacy Policies and Procedures?
At LSHSC-NO, the HIPAA Privacy Policies and Procedures are contained
in Chancellor’s Memorandum 53 available at:
How Does HIPAA Privacy Affect Providers?
LSUHSC-NO has a commitment to protect the privacy of the patient’s
health information, in both medical and billing records.
The privacy policies and procedures affect the tasks a provider
performs, including aspects of physical security of PHI and the minimum
Protecting a Patient’s PHI is YOUR Responsibility
PHI can be compromised in many different ways. It is your
responsibility to protect PHI in all situations so that you do not
expose a patient’s PHI.
A patient’s PHI can be breached in any of the following ways. (This
not an inclusive list, but rather examples of various risks to PHI.)
- PHI from discarded paper documents, computer hard drives, flash
drives, backup tapes and optical disks.
- PHI included in emails sent to the wrong recipient or PHI
inappropriately attached to an email.
- PHI stolen and sold for monetary gain.
- PHI obtained and disclosed by hackers.
- PHI contained in lost or stolen paper documents, laptops, flash
drives, backup tapes or optical disks.
- PHI that is disclosed due to the actions of a computer virus.
- PHI inappropriately posted or to which access is provided on a
Role of the Privacy Officer
- Responds to HIPAA privacy complaints
- Implements privacy policies and procedures
- Conducts educational programs
- Reviews LSUHSC-NO’s privacy program
- Investigates violations of LSUHSC-NO’s privacy policies
- Is available to answer any privacy questions or concerns
If anyone suspects or knows of mishandling or misuse of patient PHI,
complaint can be made to the:
- LSUHSC-NO Privacy Officer
- Office of Compliance Programs
- Office of Civil Rights of Department Health and Human Services
- appropriate Privacy or Compliance official at the institution if
How to Report a HIPAA Violation
Contact the LSUHSC-NO Privacy Officer or the Office of Compliance
- Telephone at:
- Office: (504) 568-5135
- Confidential reporting Hotline: (504) 568-2347
- Contact the Privacy Officer or the Compliance department at the
hospital/facility where you work.
Penalties for HIPAA Violations
There is a tiered system for assessing the level and penalty of each
- Tier A- violations that are accidental not intentional-fines of
per violation up to $25,000 for violations of an identical type per
- Tier B- violations due to reasonable cause and not willful
fines of $1000 per violation up to $50,000 for violations of an
identical type per calendar year.
- Tier C- violations that the hospital corrected, but were due to
neglect of the policies/procedures-fines $10,000 per violation up to
$250,000 for violations of an identical type per calendar year.
- Tier D- violations due to willful neglect that the hospital did
correct-fines $50,000 per violation up to $1.5 million for violations
of an identical type per calendar year.
- Loss of your job or student status.
- Individuals and health care providers (hospitals, etc.) can also
civil and criminal prosecution, depending on the facts of the case.
As a Recap…
- HIPAA provides for the rights of patients in relation to
protected health information. It also provides for the privacy and
security of that information.
- It is everyone’s responsibility to protect PHI in all formats.
- Violations of any of the HIPAA regulations may result in fines
federal government. regulations can also include civil and even
- Report breaches of PHI to Compliance immediately.
- If you are found to be deliberately accessing PHI for reasons
than related to performing your job, you can face disciplinary action,
up to and including termination and/or expulsion.
- Be familiar with the HIPAA Privacy policies wherever you work as
differ from institution to institution.
Office of Compliance Programs
433 Bolivar St.
New Orleans, LA. 70112