Delegation Decision-making Tree - DOC

Document Sample
Delegation Decision-making Tree - DOC Powered By Docstoc
					                  LOS ANGELES COUNTY
             DEPARTMENT OF HEALTH SERVICES
 HARBOR-UCLA MEDICAL CENTER AND COASTAL CLUSTER HEALTH
                        CENTERS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
                   PRIVACY AND SECURITY
             COMPREHENSIVE SELF-STUDY GUIDE




                       Revised May 2005
               Harbor-UCLA Medical Center and Coastal Cluster Health Centers

  HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
                             PRIVACY AND SECURITY
                        COMPREHENSIVE SELF-STUDY GUIDE*




                                                   EDITORS

            Paula Siler, RN, MS                                               Mary Ann Berliner, MLS
      Director, Professional Practice Affairs                               Director, Parlow Medical Library




                                                REVIEWERS

             Tecla A. Mickoseff                                               Miguel Ortiz-Marroquin
             Chief Executive Officer                                             Chief Operations Officer

      Jeanette Miura, RN, MSHCM                                                      Elisa Sanchez
    Director, Fiscal and Management Systems                               Director, Patient Centered Team Care

                Mary Morgan                                                     Donna Samuels, ART
            Chief Information Officer                                             HIPAA Privacy Liaison

              Sandy Mungovan                                             Robin Watson, RN, MN, CCRN
Director, Information Systems-Telecommunications                      Clinical Nurse Specialist, Neonatal/Pediatrics
            HIPAA Security Coordinator




                                       PUBLICATION SUPPORT

             Stephanie Viado                                                       Michael Wright
           Intermediate Typist Clerk                                              Training Coordinator




                *Content adapted from: Health Care Compliance Strategies, Inc.




                      HIPAA Privacy and Security Compliance Self Study Guide: Comprehensive
                                                  PREFACE

The format of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and
Security Comprehensive Self-Study Guide has been organized to reflect the hospital’s
commitment to adult learning in educational programs. Each employee is required to read the
study guide to update himself/herself with information about the Health Insurance Portability and
Accountability Act and successfully complete the test.




                     HIPAA Privacy and Security Compliance Self Study Guide: Comprehensive
                       Harbor-UCLA Medical Center and Coastal Cluster Health Centers

   HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
                          (HIPAA)
   PRIVACY AND SECURITY COMPREHENSIVE SELF STUDY GUIDE

                                                         Table of Contents


Objectives and Instructions for Completing HIPAA Self Study Guide ..........................................1
Overview and Introduction ..............................................................................................................2
Privacy Standards.............................................................................................................................3
Protected Health Information ...........................................................................................................3
Confidentiality .................................................................................................................................5
Patient’s Rights ................................................................................................................................6
Reasonable Precautions ...................................................................................................................7
Disclosure ........................................................................................................................................8
Patient’s Right to PHI ......................................................................................................................8
Special Issues ...................................................................................................................................9
HIPAA Security Rule ......................................................................................................................9
Administrative Safeguards .............................................................................................................10
Physical Safeguards .......................................................................................................................11
Technical Safeguards .....................................................................................................................11
Roles and Responsibilities .............................................................................................................12
Enforcement ...................................................................................................................................13
Conclusion .....................................................................................................................................13
Study Questions .............................................................................................................................14
References ......................................................................................................................................17
Appendix A ..................................................................................................................................A.1




                                HIPAA Privacy and Security Compliance Self Study Guide: Comprehensive
        HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
                  Privacy and Security Comprehensive Self Study Guide


Objectives:

   Upon completion of this section, the participant will be able to:

   1. Identify how the privacy standards protect individuals from the misuse of their health
      information.

   2. Differentiate identifiers for patients that must be kept confidential.

   3. State one component of the patient’s rights for privacy of health information.

   4.    Identify how the security standards safeguard individual Protected Health Information (PHI)
        from misuse and/or unauthorized disclosure.

   5. Recognize and become familiar with Harbor-UCLA Medical Center and DHS HIPAA security
      related policies

   6. Determine specific responsibilities for ensuring confidentiality of protected health information .




Instructions for Completing:

   1. Review the content in each section.

   2. Complete the study questions at the end.

   3. Check your answers against the answer key provided for each set of questions.

   4. Return the Self-Study Guide to where you obtained it.


                              PLEASE DO NOT WRITE IN THE MANUAL




                      HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 1
      HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)


I.    OVERVIEW

      There are three components under the HIPAA Act that contain requirements specific to health
      care organizations: Standards for the Privacy of Individually Identifiable Information, Standards
      for Security, and Standards for Electronic Transactions and Code Sets.

      The Standards for the Privacy of Individually Identifiable Information are based on the need to
      protect the privacy of every patient’s health information in written, oral, electronic, and any other
      form.

      The Standards for Security are based on the need to insure the integrity of and to control access
      to, health information. They are designed to protect information from alteration, destruction loss
      and accidental or intentional disclosure to unauthorized persons.

      The Standards for Electronic Transactions and Code Sets are based on the need for health care
      entities to communicate efficiently with one another for such basic activities as claims
      processing, payment, establishing coverage under a health plan, and determining a patient’s level
      of eligibility for services.

      Medical Practices and Businesses subject to HIPAA regulations are called “covered entities”.
      They include healthcare providers, healthcare plans and claims clearinghouses. Under HIPAA,
      the County of Los Angeles is a Hybrid Covered Entity and it includes the Department of Health
      Services, the Department of Mental Health and the Kirby Center of the Probation Department.

II.   INTRODUCTION


                                         Is this familiar?
                                                      “Hi. I’m calling to find out
                                                          about a patient…?”




                        “I’m here to pick up a
                   prescription for Lillian Berger…”
                                                                  “Alan Shumaker? Sure, I
                                                                   saw him yesterday. He
                                                                presented with high fever…”




                         “I’m going to Florida for the winter
                           and wanted to get a copy of my
                                   medical record.”

      Have you heard these statements in your work area? These are all examples of requests for
      protected health information. Keeping health information private is the most far-reaching part of

                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 2
       the Health Insurance Portability and Accountability Act (HIPAA). HIPAA involves standards
       relating to Privacy, Security and Electronic Transactions. The rules and standards that govern
       “protected” information and how it is shared with others will be reviewed in this Self-Study
       Guide.

       Everyone who works in the healthcare industry needs to be familiar with HIPAA rules. The
       question to ask is “How can I protect the privacy of patient health information?” Protecting a
       patient’s privacy sounds simple, but meeting the legal requirements is not always simple.
       HIPAA is a very detailed law, and the penalties for violating it are severe. It is important that all
       health care team members understand their responsibilities under HIPAA. By protecting the
       confidentiality of our patients’ personal health information, we protect their rights as well as
       avoid personal and organizational penalties.

III.   PRIVACY STANDARDS

       The HIPAA privacy regulations require organizations to intensify their efforts to maintain patient
       confidentiality. Increased staff training and security of records is key to success and compliance.
       Perhaps one of the greatest impacts of the Privacy Standards involve the patient’s right to be
       formally notified of the uses and disclosures of his/her medical information and to have full
       access to those records.

       A. The Privacy Standards protect individuals from the misuse of their health information by: 1
                  people who are not involved in the patient’s direct treatment
                  insurers using it to deny life or disability coverage
                  employers using it for hiring or firing decisions
                  reporters using it for any number of reasons
                  family members or other patient contacts (i.e. neighbors, etc.)

       B. The Privacy Standards apply to health information that is either written, spoken, electronic or
          communicated and maintained in any other form. The core concept in the Privacy Standards
          is that Protected Health Information (PHI) should be disclosed only to those who need it to
          provide and/or pay for care. Direct care providers (physicians, nurses, etc.) need access to
          information, and patients are entitled to see anything in their own records. Others who are
          not direct care providers should receive the minimum information necessary. Anyone not
          involved in the patient’s healthcare should receive PHI only with the patient’s consent.

IV.    PROTECTED HEALTH INFORMATION (PHI)

       A. The term “protected health information” as defined in HIPAA means any information that is
          created or received by a health care provider, health plan, employer, life insurer, school or
          university. This information can be found in:
                  medical records
                  insurance claims information
                  payment information
                  almost all information related to a person’s health care

           The information is protected because it contains confidential information regarding a patient.


                      HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 3
B. The privacy rules place limits on the use and disclosure of a person’s Protected Health
   Information or (PHI).2 Protected Health Information is defined as any health information that
   could reveal the identify of a patient such as:
           the patient’s name, address or phone number
           the patient’s health insurance number
           the patient’s social security number
           any other information that identifies a patient

    Review the list of Patient Identifiers listed below and determine which ones identify the
    patient and which ones do not:


                                   Patient Identifiers
                                  •   Medical Symptoms/Condition




                                                                                      Doesn’t Identify?
                                  •   Patient’s Name
                                  •   Street Address
                                  •   City/Town
                Identifies?




                                  •   State
                                  •   Last TWO Digits of Zip code
                                  •   Year of Birth
                                  •   Social Security Number
                                  •   First THRE E Digits of Z ip Code
                                  •   Year of Admission
                                  •   Photograph
                                  •   Age, under 89
                                  •   Phone/Fax Number
                                  •   Year of Discharge
                                  •   Email, URL, IP address
                                  •   Date of Admiss ion, Service, Birth
                                  •   Drivers License




    The following is the completed, correct list for the Patient Identifiers, how did you do?


                                      Patient Identifiers
                              Identifies                   Doesn’t Identify
                 •      Patient’s Name                 •   Medical Symptoms/Condition
                 •      Street Address                 •   State
                 •      City/Town                      •   Age, under 89
                 •      Last TWO Digits of Zip code    •   Year of Admission
                 •      Social Security Number         •   First THRE E Digits of Z ip Code
                 •      Photograph
                                                       •   Year of Discharge
                 •      Phone/Fax Number
                                                       •   Year of Birth
                 •      Email, URL, IP address
                 •      Date of Admission, Service,
                        Birth
                 •      Drivers License




It is critical for organizations to determine strategies to protect a patient’s health information.
One method is identifying the minimum necessary information that individuals need to access in
order to perform their job duties. This is accomplished through security codes and limits on
access to information. For example, access to health information may vary depending upon
whether the person is an employee, volunteer, student or serves another role in the hospital.
Other circumstances where employees will not have access are also identified. There are some
exceptions to the Privacy Rule such as when a patient request to access to copy their PHI, or
other uses or disclosures required by law.

               HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 4
V.   CONFIDENTIALITY

     Privacy of personal health information is important not only to patients, but also to organizations.
     A recent national patient survey conducted by the Gallup Poll identified that 84% of patients state
     they were very concerned that health information might be made available to others without their
     consent. Only 7% said they were willing to store or transmit personal health information on the
     Internet. 3 What does this mean to health care facilities?

     All employees regardless of role, specific duties or job descriptions have a responsibility to
     protect confidential patient information. 90% of patients polled said that they would trust their
     health care provider to keep their personal health information private and secure, and 66% said
     they would trust a hospital to do the same; only 42% said that they would trust an insurance
     company to keep their information confidential. 3

     If patients do not trust their health care providers to ensure confidentiality of PHI - the
     consequences are severe. The quality of care could be compromised if patients are not be as
     open to disclose certain conditions which may go undetected or untreated, or health information
     may not be complete or accurate.

     Employees are responsible for keeping patient health information confidential, being sensitive,
     respecting the patient’s right to privacy, and knowing and applying the organization’s policies
     and procedures.

     Consider the following dialogue taking place in one of our medical wards:

         Richard: Hi, Sarah. I’m trying to find out about Nora Wilson?

         Clerk:      She’s a patient? Nora who?

         Richard: Nora Wilson. She’s a patient, but she’s also the housekeeping supervisor. She’s
                  in her 50s, so high, graying hair, glasses…

         Clerk:      Typing into computer - Oh WOW! Nora? I know Nora! I hope it’s nothing
                     serious; she’s so nice.

         Richard: I heard she was admitted last night, but I don’t know what room she’s in or how
                  she’s doing.

         Clerk:      Reading from computer screen - Here it is. Oh my, she’s up in intensive care.
                     Continues reading silently

         Richard: What’s wrong with her? When I saw her Friday, she looked fine.

         Clerk:      I’m afraid I can’t tell you that.

         Richard: Why not? It’s in there, isn’t it?

         Clerk:      Yes, it’s in here, but nobody’s authorized to read medical records except the
                     people involved in a patient’s treatment.
                    HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 5
          Richard: Well, you’re not involved in her treatment, and you’re reading her records. I
                   work with the lady everyday. She’s like a sister to me. Can you tell me anything?
                   Is she going to be all right?

          Clerk:   It’s not clear from the record.
          Richard: It’s not clear, or you don’t want to tell me? Is it serious? Oh no, it is serious, isn’t
                   it?

          Clerk:      I don’t know, Richard. Calm down, please.
                      Clerk summarizes from the record - She was admitted last night with chest
                      pains and shortness of breath, and she had heart surgery this morning. That’s
                      really all I can tell from the record.

          Richard’s Supervisor approaches Richard and asks:
                    Are you aware of hospital regulations regarding the confidentiality of patient
                    information?

          Richard: Somewhat dismissively - Yeah, when we’re hired, we have to sign a “code of
                   conduct,” and part of that says that we promise to honor a patient’s right to
                   confidentiality and that we can be fired if we don’t. But it’s not like it was a
                   stranger I was trying to find out about. Nora’s my friend. I love her like a sister,
                   and I was concerned about her.

          Supervisor: Did the Clerk reveal confidential information to you about the patient?

          Richard: She pretty much told me everything I wanted to know: Why Nora was in the
                   hospital, about her operation, why they moved her to intensive care…She was
                   just being thorough and explaining everything so I wouldn’t worry too much.

          Supervisor: Did you tell anyone else what you had learned about Mrs. Wilson’s
                    condition?

          Richard: Yeah, I told some of the other people in housekeeping. I guess I kind of got
                   around, huh? We’re all like one big family down there.

      Did a breach in confidentiality occur? Yes! Protected health information was given to an
      individual not involved in the patient’s care, and the patient’s rights were violated.


VI.   PATIENT’S RIGHTS

      The federal privacy regulation empowers patients by guaranteeing them access to their medical
      records, giving them more control over how their protected health information is used and
      disclosed, and providing a clear avenue of recourse if their medical privacy is compromised. The
      rule will protect medical records and other personal health information maintained by certain
      health care providers, hospitals, health plans and health insurers.

      The Health Insurance Portability and Accountability Act of 1996 and the Federal Privacy
      Regulations (April, 2001) established the patient’s right to privacy of their health information.
                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 6
       These rights include access to information, amending the information, accounting for disclosures,
       requesting restrictions, filing a complaint and receiving notice. 1

       1. Right to Access: Patients have the right to access or inspect their health record, and obtain a
          copy from their health care provider. They may access or copy for as long as the information
          is retained. There are few exceptions to access related to psychotherapy notes and
          protections under state law.
       2. Right to Amend: Patients have the right to request an amendment to their medical record.
          The request must be put in writing and submitted to Medical Records. The organization will
          then review and determine agreement or disagreement. The request for amendment becomes
          part of the permanent medical record.
       3. Right to Account for Disclosures: Patients have the right to request a list of when and where
          their confidential information was released (within the last six months), the date of the
          disclosure, the name of the person or entity who received the information and address, and a
          brief description of the reason for the disclosure. The exception is for treatment, payment or
          healthcare operations.
       4. Right to Request Restrictions: Patients have the right to request their provider or hospital to
          restrict the use and disclosure (release) of their confidential information, however, the
          provider or hospital is not required to comply with the restrictions if the use and disclosure
          does not otherwise violate HIPAA Privacy Standards. For example a wife might request that
          her PHI not be disclosed to her spouse.
       5. Right to File a Complaint: Patients have the right to file a complaint if they believe their
          privacy rights were violated. A complaint can be filed in writing and submitted to
          organization’s Privacy Coordinator or Medical Records department.
       6. Right to Receive Notice: Patients have the right to receive a Notice of Privacy Practices
          handout which describes how medical information is used and disclosed; how to access and
          obtain a copy of their medical record; a summary of patient rights under HIPAA and how to
          file a complaint and contact information. Notice of Privacy Practices posters will be located
          in key area(s) throughout the hospital and the Notices of Privacy Practices written guidelines
          will be given to patients at the time of registration or log-in. If a patient arrives and is unable
          to review the Notice of Privacy Practices (e.g. trauma patient, etc.) the packet of information
          and acknowledgement form will be given to them once they are able to review the materials.

VII.   REASONABLE PRECAUTIONS

       Hospitals and providers must take reasonable steps to make sure that protected health information
       is kept private. The government knows, however, that it is impossible to guarantee the privacy of
       PHI in ALL situations. For example, certain activities are permitted for example: calling out a
       patient’s name in a waiting areas as necessary in caring for the patient; a physician or nurse
       talking about a patient’s condition or treatment over the phone or shared treatment area with the
       patient, family or other provider. Reasonable efforts must be made to protect the patient’s
       privacy, such as using lowered voices or talking in a place apart from other people - patient care
       discussions should not occur in elevators.

       Organizations will be creating appropriate policies, procedures and systems to protect a patient’s
       privacy. These include selecting a privacy coordinator, providing privacy training for the
       workforce, and identifying sanctions to deal with privacy violations.

                      HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 7
VIII. DISCLOSURE

      Protected health information may only be used and disclosed for purposes of treatment,
      payment and health care operations. PHI may NOT be used or disclosed for any other
      purposes, unless the patient reads, dates and signs an authorization form allowing the release of
      information. Authorization forms may be obtained from Medical Records.

      A limited number of exceptions to disclosure authorizations is permitted when there is an
      overriding public health or governmental risk or activity, or in reporting abuse or neglect or for
      judicial and law enforcement purposes.

IX.   PATIENT’S RIGHTS TO PHI

      With a few exceptions, patients have the right to access, inspect and copy their health
      information. Requests must be granted within 30 days if the information is located on-site, and
      within 60 days if the information is located off-site. The provider may charge the patient for the
      actual cost of making copies of the health information.

      There are some exceptions to the patient’s right to access PHI. Before the health information is
      released to the patient, any element that falls under one of the exceptions should be identified and
      removed or covered up in a way that they cannot see it. The exceptions include:
             psychotherapy notes
             information that a health care professional determines could be harmful to the patient
             information compiled for use in a civil or criminal trial or administrative proceeding
             certain health information maintained by a covered entity that falls under the Clinical
              Laboratory Improvements Amendments of 1988.

      If access to some of the health information is denied by a health care professional because it
      might cause substantial harm, then the patient has the right to request a review of the decision by
      another licensed health care provider who did not participate in the original decision. The health
      care provider must do what the reviewing professional’s decision says must be done. Other than
      these exceptions, access cannot be denied to the patient for as long as the provider maintains the
      health information in a designated medical record.

      If the patient reviews the PHI and does not agree with the content an amendment may be filed.
      The request may be denied if the information is already accurate and complete, was not created
      by the provider or if the provider is not available to act on the request, and if the information is
      not accessible to the patient under HIPAA’s access rules. If a request for amendment is denied,
      the provider must inform the patient about his/her options regarding future disclosures of the
      disputed information.

      Patients may request limits on the use and disclosure of their protected health information. For
      example, a husband or wife might request that his or her PHI not be disclosed to the spouse, or to
      any family member. Agreement to a request is not required, but if agreed, the provider must
      limit those disclosures. The exception is in emergency situations. Any restriction that is agreed
      to must be documented and maintained in the medical record for at least six years.




                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 8
X. SPECIAL ISSUES

      PHI may be disclosed to business associates without patient authorization if there is a HIPAA-
      compliant written contract. Business associates are companies or people that do services for a
      provider. A business associate might also perform, or assist with the performance of some
      activity the provider needs done. Examples might include Registries, third party billing
      companies, vendors, and consultants. Protected information may be disclosed to business
      associates if there is a written contract that the business associate will appropriately safeguard the
      information.3

      Patient authorization, is not required for PHI uses and disclosures for health care operations. The
      definition of health care operations includes fundraising for the benefit of the hospital and the use
      of demographic information and the dates health care was rendered. Patient authorization is
      required for using or disclosing PHI to raise funds for any organization other than itself. For
      example, a provider organization must have the individual’s authorization to use PHI about the
      individual to seek funds for a non-profit organization that engages in research, education and
      awareness efforts about a particular disease.

      Parents of minors have access to and control of the protected health information about their
      children under the Privacy Rule. Exceptions apply when the minor is emancipated or self
      sufficient, in which case the minor controls access to his/her own PHI.

      The same set of HIPAA authorization requirements also apply to research uses and disclosures of
      PHI. Authorizations for research may be combined with an informed consent to participate in the
      research study or any other legal permission related to research. In the design of the research
      study an adequate plan to protect the patient identifiers from improper use or disclosure and
      written assurance that the PHI will not be used or disclosed to a third party except as required by
      law or permitted by an authorization shall be documented.

XI.   HIPAA SECURITY RULE

      HIPAA Security Rule is effective April 20, 2005. The HIPAA Security Rule covers electronic
      PHI at rest (which means in storage), as well as during transmission (which means sending
      electronically). Any electronic PHI that is received, created, transmitted or maintained by DHS
      facilities is included under the Rule.

      DHS facilities must provide safeguards for the following:
           Computer hardware and software
           Locations that house computer hardware and software
           Storage and disposal of data
           Back-up of data
           Access to data
           Maintenance of facilities
           Visitor access to facilities

      Patients do not have to ensure that information they send to us electronically is secure, for
      example, in an e-mailed message. However, once a patient’s email containing PHI is received by
      DHS facilities, it must be protected in accordance with the Security Rule.

      The Security Rule covers all electronic media. Electronic media includes:

                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 9
               Computer networks, desktop computers, laptop computers, personal digital assistants,
                handheld computers,
               Computer software applications,
               Magnetic tapes, disks, compact disks, USB storage devices and other means of storing
                electronic data, and
               Telephone voice response, “fax back” and other systems that are used as input and output
                devices for computers.

          Paper-to-paper, person-to-person telephone calls, video teleconferencing or messages left on
          voice mail are not covered by the Security Rule; however, these and other methods of
          transmission of PHI not listed as electronic media are covered under HIPAA Privacy.

          A HIPAA Security Officer is required to oversee security implementation and enforcement of the
          Security Rule. The Security Officer guides the organization in determining the best ways to
          implement the Security Rule. The County of Los Angeles and the Department of Health Services
          have appointed HIPAA Security Officers to oversee security on a County and DHS level
          respectively. Questions regarding HIPAA Security can be referred to Harbor’s Information
          Systems, extension 5448.

          The Security Rule is comprised of the following three categories of standards:
              Administrative Safeguards
              Physical Safeguards, and
              Technical Safeguards

          Each Standard has implementation specifications. There are two (2) types of implementation
          specifications:
               Required        Must be followed as they are written in the Security Rule
               Addressable Must be implemented if reasonable and appropriate for the organization.
                                If not implemented, an explanation for why it was not reasonable or
                                appropriate must be provided. (Note: “Addressable” does NOT mean
                                optional. These must be addressed either through implementation or
                                explanation.)


XII.   ADMINISTRATIVE SAFEGUARDS

          Administrative Safeguards require written documentation of the security measures.
          Policies and procedures must ensure prevention, detection, containment and correction of
          security violations. Policies and procedures must also ensure that all workforce members have
          appropriate access to electronic PHI in order to perform their job.

          These documented measures, policies and procedures must be kept on file for at least 6 years and
          updated through periodic review. A review might be triggered by an established review cycle, a
          change in technology, or a new security threat or incident.

         The Security Rule requires that each organization implement Administrative Safeguard policies
         and procedures regarding:
        Risk Analysis - an accurate review of the risks involved in meeting the confidentiality, integrity
         and availability of PHI requirements;
        Risk Management - implementation of security measures that will reduce the risks of attacks or

                         HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 10
     losses that were identified in the risk analysis;
    Sanction/Disciplinary actions - imposed on individuals for security violations;
    Information Systems Activity Review procedures - regular review of information system
     activity records, including audit logs and security incident tracking reports;
    Security Incident Reporting and Response addressing:
               Actions that are considered security incidents
               The process to document such incidents
               The information that should be included in the documentation
               Appropriate responses for different types of incidents;
    Contingency Plan - response to computer system emergencies:
               Data back-up - create and maintain retrievable exact copies of electronic PHI,
               Disaster recovery plan - procedures to restore any loss of data
               Emergency mode operations plan - procedures that make it possible to continue
                 critical business activities that protect the security of electronic PHI during an
                 emergency; and
      Business Associate Contracts and other Arrangements (i.e., MOU) - Contracts and other
                 arrangements between DHS and outside entity that creates, receives, maintains or
                 transmits electronic PHI on behalf of DHS.


XIII.   PHYSICAL SAFEGUARDS

        Physical safeguards protect DHS’ electronic information system hardware and related buildings
        and equipment. Security measures include protections from natural or environmental hazards
        and unauthorized access.

        An organization must implement policies and procedures to:
            Limit physical access to DHS’ electronic information systems and the facility or facilities
               where they are kept.
            Restrict access to computers or computer systems containing electronic PHI to authorized
               users, e.g., passwords.
            Assign security responsibilities to individuals who will supervise the use of approved
               security measures.
            Limit access to data viewed on workstations, e.g., logging off the computer before
               leaving a workstation and automatic time-outs.
            Disposal or re-use of electronic media containing electronic PHI.


XIV.    TECHNICAL SAFEGUARDS

        Technical safeguards include the use of computer technology solutions to protect the integrity,
        confidentiality and availability of electronic PHI.

        The Technical Safeguard standards require written documentation of security measures, policies
        and procedures implemented with respect to:
           Access Control - ensures appropriate technical solutions are in place to protect the
              integrity, confidentiality and availability of electronic PHI. For example, electronic
              systems, which handle confidential data and information, require two tiers for security,
              e.g., user identifier and password.

                      HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 11
          Audit Control - requires implementation of hardware, software, and/or procedures that
           record and examine activity in information systems containing or using electronic PHI.
          Integrity – prevents electronic PHI from being improperly altered or destroyed.
          Person or Entity Authentication - procedures to verify that a person or entity seeking
           access to electronic PHI is the one he, she or it is claiming to be.
          Transmission Security - protects against unauthorized access to electronic PHI while it
           is being transmitted.


XV.   ROLES AND RESPONSIBILITIES

      Successful compliance with the HIPAA Privacy and Security Standards involves creating
      systems that limit access to protected health information to the minimum amount necessary for
      staff to perform their job functions and to protect the availability and integrity of such
      information. Each employee is responsible for protecting each patient’s privacy by following the
      guidelines below.
            Specifically, do not leave patient information in places where other people can see it if
             they have no need to know the information to perform their job. If PHI is left out, do not
             read through it - close the chart, cover it, or put it away in its appropriate place.
            Log off on the HIS terminal when you leave the computer station or after you have
             obtained the necessary data.
            Do not share computer passwords or leave them out where they can be seen. Change
             passwords at least every 90 days.
            Ensure all computers and laptops used to access electronic PHI are properly secured.
            Be aware of your departmental contingency plans should the HIS or other automated
             systems used for patient care go down.
            Ensure that all areas used to store PHI are properly secured. Ensure that only authorized
             personnel have access to these locations.
            Keep paper records related to patients out of publicly accessible areas. Keep lab reports,
             correspondence and other items regarding patients out of common areas.
            Only access confidential information if you have a need to know it to do your job. Staff
             should view medical records only on those patients they are treating or caring for.
            Dispose of PHI properly- shred it instead of throwing it in the trash.
            When faxing PHI to someone else, indicate the FAX is confidential. Call and advise the
             receiving party when it is ready to send. Ask the individual to stand by to intercept the
             document and confirm receipt.
            Be aware that violations of privacy or security policies and procedures are subject to
             disciplinary action.
            Understand the law and comply with the medical center’s policies and procedures. If an
             issue is found, report the problem to the immediate supervisor or Privacy Coordinator.

        TREAT THE PATIENT’S INFORMATION THE WAY YOU WOULD WANT
                YOUR OWN PERSONAL INFORMATION TREATED.


                    HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 12
XVI.    ENFORCEMENT

        The US Department of Health and Human Services Office of Civil Rights is responsible for
        enforcing compliance with the HIPAA Privacy standards. The Centers for Medicare and
        Medicaid Services (CMS) is responsible for ensuring compliance with the Security Rule.
        Suspected security violations are reported to the Office of Inspector General. There is no
        provision of HIPAA allowing patients to sue organizations and/or individuals for violations of
        the law, but they may have the ability to sue under state laws. Penalties for violating HIPAA
        laws range from civil fines to criminal penalties such as imprisonment.

        A. Civil Penalties
              Individuals may be fined $100 for each violation (not to exceed $25,000 per calendar
               year) when it a person knew or should have known about the violation(s).1

        B. Civil/Criminal Penalties for individuals and/or organizations:
              Fines of up to $50,000 and/or imprisonment for up to one year for knowingly using PHI
               inappropriately;
              Fines of up to $100,000 and/or imprisonment for up to five years for inappropriately
               accessing PHI under false pretenses; and
              Fines of up to $250,000 and/or imprisonment for up to 10 years for any person or entity
               knowingly disclosing or obtaining PHI for the purpose of doing malicious harm or for
               commercial or personal gain.1

XVII.   CONCLUSION

        Protected health information may only be used and disclosed for purposes of treatment, payment,
        and health care operations unless authorized by the patient or allowed by law. 1 Protecting PHI is
        everyone’s responsibility. We can all be patients at one time or other. How would you feel if
        your own health information were used in a way that was harmful to you or your family? If you
        have a question about the proper way to handle a patient privacy situation, ask your supervisor or
        manager. When each of us assumes responsibility for protecting the health information of others,
        we are more likely to be in compliance with HIPAA.

        Be familiar with and follow all applicable policies and procedures. A summary of HIPAA
        Security related policies and procedures are located in Appendix A. Copies of the policies and
        procedures are available through your supervisor or via the Harbor Intranet.




                      HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 13
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
                     Comprehensive Study Questions


1. The Privacy rule applies to protected health information (PHI) in all forms including electronic, written,
   oral and any other form.
    a. True                   b. False

2. The patient’s name, address, phone number, health insurance number, and social security number are all
   examples of what?
    a.   Patient identifiers
    b.   Protected health information
    c.   Information that may exist in written, electronic or oral form
    d.   All of the above

3. If you see a FAX with patient information lying on a counter top, what should you do?
    a. Read it to see if there is anything interesting in it
    b. Read the name of the person it was sent to – without reading the rest of it - and deliver it to that
       person
    c. Throw it in a wastebasket since apparently it wasn’t important
    d. None of the above

4. Discussing a patient’s condition over the phone, or in an open area of the care setting, with the patient,
   family, or another provider is allowed as long as reasonable efforts are made to protect the patient’s
   privacy – such as using lowered voices or talking in an area apart from other people.
    a. True                   b. False

5. Patients have a right to access, inspect and copy their medical record except for some information like
   psychotherapy notes.
    a. True                   b. False

6. Both civil and criminal penalties can apply to workers and not just organizations.
    a. True                   b. False

7. All people in a provider’s workforce – regardless of their duties or job description – have a responsibility
   to protect patient health information.
    a. True                        b. False

8. Which HIPAA rule is to protect individuals from wrongful use or disclosure of their health information?
    a.   Security rule
    b.   Privacy rule
    c.   Electronic transactions and code set rule
    d.   Electronic signature rule




9. Employees can maintain electronic security by:

                        HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 14
    a.   Logging off on the HIS terminal whenever leaving the computer station
    b.   Sharing passwords with coworkers
    c.   Posting passwords in common areas
    d.   Accessing information on the HIS for coworkers

10. In order to verify that a patient received a copy of the Notice of Privacy Practices, providers must obtain
    written acknowledgement from the patient that the Notice of Privacy Practices was given or document the
    reason(s) why the provider was unable to give the Notice of Privacy Practices
    a. True                   b. False

11. The privacy rule provides definitions and limitations for the use and disclosure of
    a.   Population data
    b.   Aggregate claims data
    c.   Protected health information
    d.   Principle health information

12. People or businesses included under the Privacy Rule are:
    a.   Healthcare providers that conduct one or more of the electronic transactions included in HIPAA
    b.   Health plans
    c.   Consultants
    d.   All of the above

13. A covered entity’s notice to patients on its privacy practices must include:
    a. Information on how to file complaints with the covered entity or with the Department of Health and
       Human Services
    b. Identification of a contact person who can provide additional information
    c. A description of how the covered entity will notify patients if its privacy practices change
    d. All of the above

14. A provider that is also a business associate, is restricted from using or disclosing the protected health
    information it creates or receives through its business associate work for any purposes other than those
    explicitly written in the business associate agreement.
    a. True              b. False

15. Which is an example of wrongfully using or disclosing protected health information?
    a.   A life insurance company using it to deny life or disability coverage
    b.   Employer using it as the reason for hiring or firing a person
    c.   Nosy neighbors who want to gossip about the person
    d.   Giving it to a reporter without the patient’s authorization
    e.   All of the above




                        HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 15
16. The term “protected health information” includes which of the following?
      a.   Medical records
      b.   Insurance claim information
      c.   Payment information
      d.   All of the above
      e.   None of the above

17. Protected health information may only be used for purposes of treatment, payment and health care
    operations.
      a. True             b. False

18. The HIPAA Security Rule requires covered entities to do which of the following?
    a. Protect the integrity, confidentiality and availability of paper documentation.
    b. Stop all electronic bank transactions.
    c. Keep all data confidential even if it is not electronic.
    d. Protect the integrity, confidentiality and availability of the electronic protected health information
       they collect, maintain, use or transmit.
    e. Convert all protected health information on paper to electronic PHI.

19. Part of the HIPAA Security Rule requires that access to computers or computer systems containing
    electronic protected health information must be:
    a. Restricted to authorized users
    b. Available only in located rooms
    c. Wherever space allows
    d. Freely available to everyone

20. Physical safeguard requirements of the Security Standards include protection of a covered entity's:
    a. Electronic information systems
    b. Buildings and equipment related to electronic information systems
    c. Patients
    d. A and B above
    e. A, B, and C above

21. Employees can protect PCs by not accepting emails from unknown sources or loading files from diskettes
    and other electronic media that is not properly scanned for viruses.
    a. True              b. False

                         CHECK YOUR ANSWERS TO THE STUDY QUESTIONS
                                   Answers to Study Questions

1.    a        2.   d        3.      b         4. a           5. a           6. a            7. a      8. b

9.     a        10. a        11. c             12. d          13. d          14. a           15. e     16. d

17. a           18. d        19. a             20. d          21. a


     IF YOU MISSED ONE OR MORE QUESTIONS, REREAD THE CONTENT AND REPEAT THE
                             STUDY GUIDE QUESTIONS.


                         HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 16
     HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

                                                      References


1. http://aspe.hhs.gov/admnsimp/. Accessed February 27, 2003


2. http://www.aamc.org/members/gir/hipaaforum/issues11102.htm. Accessed February 27, 2003


3. http://www.health.state.state.ny.us/nysdoh/medicaid/hipaa/privacy.htm. Accessed February 27, 2003

4. Health Care Compliance Strategies, Inc. HIPAA CD Training Curriculum. Jericho, NY; 2003.

5. Health Care Compliance Strategies, Inc. HIPAA CD Training Curriculum. Jericho, NY; 2005.




                      HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive – 17
                                                                                                                                                  APPENDIX A
                                           HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                                HIPAA PRIVACY
                                                     POLICIES AND PROCEDURES SUMMARY

NOTE:     Harbor-UCLA Medical Center and DHS policy and procedures are referenced below. Complete copies of Harbor policy and
          procedures can be found on the Harbor Intranet or in your department’s copy of the Harbor Policy and Procedure Manual.
          Contact your CCHC Administrator for CCHC specific policies. DHS Policy and Procedures can be found on the DHS Intranet
          Website (www.ladhs.org).

 SUBJECT                 POLICY                                                                                  PURPOSE
 Notice of Privacy                                                                                               To establish the process for providing
                         It is the policy of DHS to make available an accurate Notice of Privacy Practices to each of
 Practices                                                                                                       a Notice of Privacy Practices
                         its patients at the time and in the manner specified by the HIPAA Privacy Regulations. The
                                                                                                                 (“Notice”) to patients regarding the use
                         Notice shall adequately describe the uses and disclosures of PHI that may be made by DHS,
 Policy # 703            as well as the patients’ rights and DHS’ legal duties with respect to PHI.              and disclosure of their Protected
                                                                                                                 Health Information (PHI), as well as
                         All DHS employees who are involved in direct patient care or who have access to PHI are the patients’ rights and the Department
                         required to read and understand the Notice of Privacy Practices.                        of Health Services’ (DHS) duties with
                                                                                                                 respect to PHI.
                         An inmate does not have the right to receive the Notice of Privacy Practices.
 Access of Individuals   Individuals shall be granted the right to access, inspect, and obtain copies of their Protected   To establish uniform policies and
 to PHI/Designated       Health Information (PHI) that is contained in a Designated Record Set except PHI that has         procedures for responding to an
 Record Set              been compiled for use in a civil, criminal, or administrative proceeding or disclosure is         individual’s right to access Protected
                         prohibited by the Clinical Laboratory Improvement Amendments of 1988 (CLIA).                      Health Information contained within
 Policy # 712                                                                                                              their health record/Designated Record
                         A Minor legally authorized by law to consent to treatment and an individual’s Personal            Set.
                         Representative have the right to request access to their PHI.
 Amendment of             DHS will act upon an individual’s request for correction or amendment to the                     To establish a policy and procedure
 PHI/Designated               individual’s Protected Health Information (PHI) for as long as the PHI is                    pursuant to the HIPAA Privacy Rule to
 Record                                 maintained by a DHS facility in a Designated Record Set.                           ensure that an individual has the right
                         DHS facilities may accept or deny the requested amendment and must observe specific               to request the Department of Health
 Policy # 723            practices pertaining to its response, record keeping, future disclosures, and documentation in    Services (DHS) correct or amend
                         accordance with the HIPAA Privacy Rule and as set forth in this Policy.                           Protected Health Information.
 Minimum Necessary       Minimum necessary is based on a “need-to-know”, and is the “limited” health information           To establish processes to limit DHS’
 Requirements            required to accomplish the intended purpose of the use or disclosure or request. Each DHS         uses or disclosures of, and requests for
                         facility shall make reasonable efforts to limit the use, disclosure of, and requests for          Protected Health Information (PHI) to
 Policy # 713            Protected Health Information (PHI) to the minimum necessary to accomplish the intended            the minimum necessary to accomplish

                                                 HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                               Page A- 1
                                                                                                                                              APPENDIX A
                                        HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                              HIPAA PRIVACY
                                                   POLICIES AND PROCEDURES SUMMARY
SUBJECT                POLICY                                                                                         PURPOSE
                       purpose of the use, disclosure or request.                                                     the intended purpose of the use,
                                                                                                                      disclosure or request.
Patient’s Right to     DHS will allow a patient to request that uses and disclosures of their Protected Health        To establish a policy and procedure
Restriction on Use &   Information be restricted.                                                                     pursuant to the HIPAA Privacy Rule to
Disclosure of PHI                                                                                                     ensure that have the right to request
                                                                                                                      restrictions to the use and disclosure of
Policy # 709                                                                                                          their Protected Health Information.
Right to Request       DHS will provide individuals with an opportunity to request that they receive Protected To establish a policy and procedure
Confidential           Health Information in a Confidential Communication. DHS will accommodate reasonable pursuant to the HIPAA Privacy Rule to
Communication          requests by patients to receive Confidential Communications of Protected Health ensure that patients can receive
                       Information.                                                                                   communications regarding their
Policy # 708                                                                                                          Protected Health Information through
                                                                                                                      an alternative means or to an
                                                                                                                      alternative location in order to preserve
                                                                                                                      the confidentiality of the
                                                                                                                      communications.
Disciplinary Actions   Each DHS facility investigates failures to comply with policies related to Protected Health             To state the General Policy of
For Failure To         Information (PHI), privacy, confidentiality, and security, and imposes appropriate             the Los Angeles County Department of
Comply With Privacy    disciplinary actions where indicated.                                                          Health Services (DHS) related to the
Policies And                                                                                                          improper use or disclosure of Protected
Procedures             Disciplinary actions are progressive and commensurate with the severity, frequency, and        Health Information under the Privacy
                       intent of violations. DHS applies disciplinary actions equitably without regard to role or     Standards of the Health Insurance
Policy # 729           position.                                                                                      Portability and Accountability Act of
                                                                                                                      1996, 45 C.F.R. Parts 160 and 164
                       Unauthorized access, use, and/or disclosure of protected health information, or the failure to (“HIPAA Privacy Standards”), and the
                       maintain and safeguard PHI is subject to disciplinary action, including, but not limited to,   Los Angeles County and DHS policies
                       verbal counseling, written warning, reprimand, suspension and including discharge, in          and procedures which implement
                       accordance with the provisions of Los Angeles County Civil Service rules and DHS’              HIPAA        (“HIPAA       Implementing
                       disciplinary policy and procedure (#747).                                                      Policies and Procedures.”)

                       Disciplinary actions will not be applied to a workforce member who discloses protected
                       health information (PHI) to a health oversight agency or an attorney in the process of
                       reporting either an allegation of unlawful conduct by the entity or a violation of professional

                                               HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                             Page A- 2
                                                                                                                                                 APPENDIX A
                                         HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                               HIPAA PRIVACY
                                                    POLICIES AND PROCEDURES SUMMARY
SUBJECT                 POLICY                                                                                             PURPOSE
                        standards or clinical standards, or conditions in the entity that endanger patients
                        (whistleblower). Additionally, disciplinary actions will not be applied for filing complaints,
                        testifying, participating in investigations, compliance reviews, proceedings or hearings, or for
                        opposing real or perceived unlawful acts or practices under this act provided the disclosures
                        are made in good faith.
Complaints Related to   1. It is the Department of Health Services’ (DHS) policy to protect the privacy of PHI in          To establish a process for individuals
Privacy of PHI               compliance with applicable law, as well as the DHS’ policies and business practices. All      to register their complaints about a
                             complaints related to privacy will be investigated and resolved, either internally (within    DHS facility’s privacy practices.
Policy # 728                 DHS) or through the County’s Chief Information Privacy Officer. It is DHS’ policy to
                             communicate, in accordance with this Policy, with individuals who report privacy-related
                             complaints, to help ensure that such individuals understand DHS’ privacy-related
                             Complaint Handling Process and are periodically informed as to the status of the
                             complaint through the investigation and resolution process. It is DHS’ goal that, through
                             the Complaint Handling Process, complaints will be internally resolved and closed
                             within thirty (30) business days of the opening of the investigation by a DHS Facility
                             Privacy Coordinator.
                        2. Complaints may be filed against members of DHS’ Workforce, members of DHS’
                             business associates’ Workforce, DHS’ privacy polices and procedures or DHS’ business
                             associates’ privacy policies and procedures.
                        3. Anonymous complaints will be permitted; however, the Complainant should be informed
                             that insufficient detail may delay, hinder or prevent a full investigation.
                        4. Types of Complaints.
                             a. Patients may file complaints concerning:
                                i. Disagreements with DHS’ privacy policies and procedures;
                                ii. Suspected violations in the use, disclosure or disposal of their PHI;
                                iii. Denials of access to their PHI;
                                iv.      Denials of amendments to their PHI
                                v. Retaliatory or intimidating actions.
                                vi. Members of the DHS Workforce or business associates may report a suspected
                                      violation of DHS’ policies and procedures and/or the HIPAA Privacy
                                      Regulations by another member of the Workforce, or against DHS’ policies and
                                      procedures.
                        5. Disclosures by Whistleblowers. DHS will not be considered to have violated the HIPAA

                                                HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                              Page A- 3
                                                                                                                                     APPENDIX A
                                  HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                        HIPAA PRIVACY
                                             POLICIES AND PROCEDURES SUMMARY
SUBJECT          POLICY                                                                                            PURPOSE
                     Privacy Regulations when a whistleblower discloses PHI to the U.S. Department of
                     Health and Human Services provided that:
                     a. The Workforce member or business associate believes in good faith DHS has
                         engaged in unlawful conduct or otherwise violates professional or clinical standards,
                         or that care, services, or conditions provided by DHS potentially endangers one or
                         more patients, workers, or the public; and
                     b. The disclosure is to:
                         i. A health oversight agency or public health authority authorized by law to
                              investigate or otherwise oversee the relevant conduct or conditions of DHS or to
                              an appropriate health care accreditation organization for the purpose of reporting
                              the allegation of failure to meet professional standards or misconduct by DHS; or
                        ii. An attorney retained by or on behalf of the Workforce member or business
                              associate for the purpose of determining the legal options of the Workforce
                              member or business associate with regard to the conduct described in this
                              section.
                 6. DHS may not intimidate, threaten, coerce, discriminate against, or take other retaliatory
                     action against both its Workforce, including whistleblowers and patients, for filing
                     complaints.
Accounting of    DHS shall recognize and accommodate the right of an individual to receive an accounting of    To establish a policy and procedure
Disclosures      disclosures concerning their Protected Health Information (PHI).                              applicable to all Department of Health
                                                                                                               Services (DHS) facilities, programs
Policy # 726                                                                                                   and Workforce Members regarding the
                                                                                                               accounting of disclosures of Protected
                                                                                                               Health Information (PHI).
Safeguards for   Set forth below are policies establishing minimum administrative and physical standards To establish safeguards that must
Protecting PHI   regarding the protection of protected health information that DHS must enforce. DHS may be implemented by DHS to protect
                 develop additional policies and procedures that are stricter than the parameters set forth       the confidentiality of protected
Policy # 706     below in order to maximize the protection of protected health information in support of their          health information.
                 specific circumstances and requirements. The development and implementation of policies
                 and procedures in addition to those stated herein must be approved by the Chief Information
                 Privacy Officer.

                 DHS will implement appropriate administrative, technical, and physical safeguards which

                                         HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                       Page A- 4
                                                                                                                                            APPENDIX A
                                     HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                           HIPAA PRIVACY
                                                POLICIES AND PROCEDURES SUMMARY
SUBJECT             POLICY                                                                                            PURPOSE
                    will reasonably safeguard protected health information from any intentional or unintentional
                    use or disclosure that is in violation of DHS’ Privacy Policies.

                    DHS’ Workforce must reasonably safeguard PHI to limit incidental uses or disclosures made
                    pursuant to an otherwise permitted or required use or disclosure.
Waiver of Rights    DHS will not require individuals to waive any of their rights under HIPAA as a condition to        This document sets forth the policy
                    providing the individual with Treatment, Payment, enrollment in a Health Plan or eligibility           of the Department of Health
Policy # 705        for benefits.                                                                                         Services (DHS), prohibiting the
                                                                                                                            conditioning of Treatment,
                                                                                                                         Payment, enrollment in a Health
                                                                                                                       Plan or eligibility for benefits on an
                                                                                                                        individual’s waiver of rights under
                                                                                                                      the Privacy Standards of the Health
                                                                                                                             Insurance Portability and
                                                                                                                            Accountability Act of 1996.
Non-Retaliation     It is the policy of the Department of Health Services (DHS) to refrain from retaliatory or        To state the Department of Health
                    intimidating acts against individuals that make complaints or assert any other rights under the   Services (DHS) policy not to
Policy # 710        Privacy Standards of the Health Insurance Portability and Accountability Act of 1996, 45          retaliate or intimidate against
                    CFR Parts 160 and 164 (“HIPAA Privacy Standards”). Specifically, DHS] will not                    individuals who make complaints or
                    intimidate, threaten, coerce, discriminate against or take other retaliatory action against any   assert their rights under the Privacy
                    individuals asserting their rights under HIPAA, making privacy or HIPAA-related                   Standards of the Health Insurance
                    complaints, assisting in an investigation of DHS’ practices under HIPAA or otherwise              Portability and Accountability Act of
                    opposing activities that are in violation of HIPAA. Furthermore, DHS will not tolerate such       1996 (HIPAA).
                    actions by Workforce Members or members of its medical or allied health professional staffs.
Disclosing PHI by   It is the policy of the Department of Health Services (DHS) that its Workforce Members and        To outline the policy of DHS on
Whistleblowers &    Business Associates may make Whistleblower Disclosures and Disclosures as Crime Victims           Disclosures of PHI by Workforce
Workforce Crime     in accordance with the requirements of the Health Information Portability and Accountability      Members (and in certain Cases, its
Victims             Act and the DHS policy.                                                                           Business Associates) under the
                                                                                                                      circumstances where such Workforce
Policy # 727        DHS will not take any intimidating or retaliatory action against Members of its Workforce or      Member or Business Associate makes
                    Business Associates who make Whistleblower Disclosures related to DHS’ handling of PHI            the Disclosure as a Whistleblower or a
                    and compliance with HIPAA.                                                                        Victim of a Crime.
                    Members of DHS’ Workforce are permitted to make Disclosures of PHI to a law

                                            HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                          Page A- 5
                                                                                                                                               APPENDIX A
                                       HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                             HIPAA PRIVACY
                                                  POLICIES AND PROCEDURES SUMMARY
SUBJECT               POLICY                                                                                            PURPOSE
                      enforcement official if the Workforce Member is the victim of a crime and the PHI to be
                      Disclosed is about the suspect who allegedly committed the crime against the Workforce
                      Member.
Incidental Uses &     DHS will take steps to ensure that all incidental uses and disclosures are in accordance with     The purpose of this policy is to outline
Disclosures           HIPAA.                                                                                            appropriate uses and disclosures of
                                                                                                                        protected health information (PHI) by
Policy # 716                                                                                                            the Department of Health Services
                                                                                                                        (DHS) that are incidental to uses and
                                                                                                                        disclosures otherwise made in
                                                                                                                        accordance with the Privacy Standards
                                                                                                                        of HIPAA.
Harbor-UCLA           Harbor’s Privacy Program consists of twelve sections:                                             To Define the Privacy Program for
Medical Center        1. Privacy and Confidentiality Training                                                           Harbor-UCLA Medical Center.
Privacy Compliance    2. Disciplinary Actions for Failure to comply with Privacy Policies and Procedures
Program               3. Safeguards for Protected Health Information (PHI)
                      4. Disclosure of Protected Health Information (PHI)
Policy # 700          5. Workforce Crime Victims
                      6. Mitigation
                      7. Non-Retaliation
                      8. Waiver of Rights
                      9. Complaints Related to Department of Health Services Privacy Practices
                      10. Personal Designations
                      11. Implementing Changes to Privacy-Related Policies
                      12. Documentation of Privacy Policies and Procedures

Use & Disclosure of   It is the policy of Harbor-UCLA Medical Center that its uses and disclosures of PHI are in        To outline the appropriate uses and
PHI Without           accordance with applicable. Prior to using or disclosing PHI, Harbor-UCLA Medical Center          disclosures of PHI that are allowed
Authorization         must either obtain Authorization if so required by the HIPAA Privacy Rule, provide the            without Authorization or an
                      individual with an Opportunity to Agree or Object or otherwise follow the requirements set        Opportunity to Agree or Object in
Policy # 715          forth in this policy and procedure. In specified circumstances, as set forth in this policy and   accordance with the Privacy Standards
                      procedure, Harbor-UCLA Medical Center may use or disclose PHI without an individual’s             of the Health Insurance Portability and
                      authorization.                                                                                    Accountability Act of 1996, Code of
                                                                                                                        Federal Register 45, Parts 160 and 164

                                              HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                            Page A- 6
                                                                                                                                                APPENDIX A
                                          HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                                HIPAA PRIVACY
                                                     POLICIES AND PROCEDURES SUMMARY
SUBJECT                  POLICY                                                                                           PURPOSE
                                                                                                                          (“The HIPAA Privacy Rule”).
Use and Disclosure of    It is the policy of Harbor-UCLA Medical Center to obtain an individual’s written                 To establish a policy and procedure for
PHI Requiring            authorization before using or disclosing PHI for purposes other than treatment, payment, or      Harbor-UCLA Medical Center,
Authorization            healthcare operations, except as permitted by the HIPAA Privacy Rule. Use and disclosure         programs and workforce members
                         of an individual’s PHI will be consistent with the valid authorization obtained from the         regarding the use and disclosure of
Policy # 714             patient.                                                                                         protected health information (PHI),
                                                                                                                          and necessary authorization under the
                                                                                                                          HIPAA Privacy Rule for such use of
                                                                                                                          disclosure, when the use or disclosure
                                                                                                                          is for purposes outside of those
                                                                                                                          permitted relating to treatment,
                                                                                                                          payment or healthcare operations, or
                                                                                                                          under other provisions of HIPAA
                                                                                                                          Privacy Rule.
Right of an individual   It is the policy of Harbor-UCLA Medical Center to provide an individual an opportunity to        To establish a policy and procedure for
to Agree or Object to    agree or object before Harbor-UCLA Medical Center uses or discloses the individual’s PHI         individuals to agree or object to uses
Use and Disclosure of    for inpatient facility directory, to family members and other persons the individual indicated   and disclosures of Protected Health
PHI                      as involved in the individual’s care or payment for the care; and for notification to family     Information (PHI).
                         members and other persons responsible for the individual’s care or about the individual’s
Policy # 707             general condition and location. This policy also allows disclosure of limited PHI for disaster
                         relief purposes.
Designated Record Set    Harbor-UCLA Medical Center will identify those records that comprise the Designated              Individuals have a right to inspect,
                         Record Set in order to clarify the access and amendment standards as set forth in the            obtain a copy, and request amendment
Policy # 722             regulations promulgated under the Health Insurance Portability Act (HIPAA).                      of PHI about themselves in a
                                                                                                                          Designated Record Set. The purpose
                                                                                                                          of this policy is to identify those
                                                                                                                          records that comprise the Designated
                                                                                                                          Record Set. Defining the scope of the
                                                                                                                          Designated Record Set is important
                                                                                                                          because it defines the information,
                                                                                                                          which is subject to an individual’s
                                                                                                                          right to access and amendment.
Verification of          It is the policy of Harbor-UCLA Medical Center to verify the identity and authority of           To establish a policy and procedure for

                                                 HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                               Page A- 7
                                                                                                                                                    APPENDIX A
                                          HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                                HIPAA PRIVACY
                                                     POLICIES AND PROCEDURES SUMMARY
SUBJECT                  POLICY                                                                                             PURPOSE
Identity and Authority   individuals requesting PHI, as provided by this policy and procedure, if the identify or           verifying the identity and authority of
of Individuals           authority of that individual is not known to Harbor-UCLA Medical Center. In addition,              individuals requesting PHI.
Requesting PHI           Harbor-UCLA Medical Center must obtain statements or representations, whether oral or
                         written, from the person requesting PHI when they are required as a condition of disclosure
Policy # 711             of PHI.
Use and Disclosure of    Harbor-UCLA Medical Center will ensure its use or disclosure of deceased individuals is in         To outline the procedures of Harbor-
PHI of Deceased          accordance with applicable law. If under applicable California law, an executor,                   UCLA Medical Center for the Use or
Individuals, Minors      administrator or other person has the authority to act on behalf of the deceased individual or     Disclosure of PHI of deceased
and Personal             deceased individual’s estate, then Harbor-UCLA Medical Center shall treat such person as           individuals, minors and personal
Representatives          the deceased individual’s personal representative, and allow such personals representative to      representatives of individuals, in
                         make decisions regarding the deceased individual’s PHI. Before using or disclosing the PHI         accordance with the Privacy Standards
Policy # 717             of a deceased individual, Harbor will obtain, if necessary, an appropriate Authorization from      of the Health Insurance Portability and
                         the persons representative of the deceased individual in accordance with DHS Policy No.            Accountability Act of 1996, Code of
                         361.4, “Use and Disclosure of PHI Requiring Authorization’. This policy applies for as long        Federal Register 45, Parts 160 and 164
                         as Harbor-UCLA Medical Center maintains a deceased individual’s PHI.                               (“The HIPAA Privacy Rule”).

                         If under applicable law, a person has the authority to act on behalf of an individual who is an
                         adult or an emancipated minor regarding health care decisions, then Harbor-UCLA Medical
                         Center must treat this person as n individual’s personal representative responsible for making
                         decisions regarding the use and disclosure of such individual’s PHI and must obtain, as
                         necessary, an appropriate Authorization fro the personal representative in accordance with
                         DHS Policy No. 361.4, “Use and Disclosure of PHI Requiring Authorization’

                         If under applicable law, a parent, guardian or person acting in loco parentis has t he authority
                         to act on behalf of an individual who is an unemancipated minor regarding health care
                         decisions, Harbor must treat such person as a personal representative responsible for making
                         decisions regarding the use and disclosure of such individual’s PHI and must obtain, as
                         necessary, an appropriate Authorization fro the personal representative in accordance with
                         DHS Policy No. 361.4, “Use and Disclosure of PHI Requiring Authorization”.
De-Identification of     It is the policy of Harbor-UCLA Medical Center to set forth requirements for de-                   To protect the privacy of patient health
PHI/Limited Data Sets    identification and re-identification of Protected Health Information (PHI). PHI is de-             information by removing information
                         identified when the identifiers listed below have been removed and there is no basis to            that is individually identifiable when it
Policy # 719             believe the information can be used to re-identify the individual. De-identified information       is not necessary for the purpose in

                                                 HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                               Page A- 8
                                                                                                                                              APPENDIX A
                                      HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                            HIPAA PRIVACY
                                                 POLICIES AND PROCEDURES SUMMARY
SUBJECT              POLICY                                                                                            PURPOSE
                     is not PHI.                                                                                       which the information is being used or
                                                                                                                       disclosed.
                     Unless otherwise restricted or prohibited by other federal or state law, Harbor-UCLA
                     Medical Center can use and share information as appropriate for the work of Harbor-UCLA
                     Medical Center, without further restriction, if Harbor or another entity has taken steps to de-
                     identify the information consistent with the requirements and restrictions of this policy.

                     Harbor-UCLA Medical Center may use or disclose a limited data set that meets the
                     requirements of this policy, if Harbor enters into a data use agreement with the limited data
                     set recipient (or with the data source, if Harbor-UCLA Medical Center will be the recipient
                     of the limited data set) in accordance with the requirements of this policy.
Business Associate   DHS/Harbor-UCLA Medical Center shall execute Board-approved agreements with its                   To protect individuals’ PHI transferred
Agreement            designated Business Associates, in accordance with the requirements of the HIPAA Privacy          to, created or received by Harbor-
                     Rule. Harbor and its officers, employees and agents shall not disclose PHI to any Business        UCLA Medical Center’s Business
Policy # 725         Associate in the absence of such written agreement. The agreement shall state how the             Associates by requiring contractual
                     Business Associate may use or disclose the PHI and their obligations to safeguard the PHI.        assurances that the Business Associate
                                                                                                                       will safeguard the PHI and use the PHI
                     Business Associates provisions are not required for disclosures by Harbor-UCLA Medical            only as permitted by the Business
                     Center to a health care provider concerning the treatment of an individual.                       Associate Agreement.

                     DHS/Harbor-UCLA Medical Center is not liable for privacy violations of its Business               This policy relates to relevant Board of
                     Associate. Harbor-UCLA Medical Center is not required to actively monitor or oversee the          Supervisor Agreements and Purchase
                     means by which the Business Associate carries out safeguards or the extent to which the           Orders executed by DHS/Harbor-
                     Business Associate abides by the requirements of the contract.                                    UCLA Medical Center for services by
                                                                                                                       vendors (i.e., persons or entities) that
                                                                                                                       perform functions, activities or
                                                                                                                       services, other than treatment, on
                                                                                                                       behalf of Harbor-UCLA Medical
                                                                                                                       Center that involve the use and/or
                                                                                                                       disclosure of PHI.
Mitigation           It is the policy of DHS/Harbor-UCLA Medical Center to mitigate, to the extent practicable,        To establish policy and procedure for
                     any harmful effects that are known to it, which arise out of the Use or Disclosure of PHI by      mitigating harmful effects as a result of
Policy # 724         either members of its Workforce or its Business Associates in violation of the Privacy            use and disclosure of PHI by

                                             HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                           Page A- 9
                                                                                                                                              APPENDIX A
                                         HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER

                                                              HIPAA PRIVACY
                                                   POLICIES AND PROCEDURES SUMMARY
SUBJECT                 POLICY                                                                                          PURPOSE
                        Standards of the Health Insurance Portability and Accountability Act of 1996, 45 CFR Parts      Workforce members or Business
                        160 and 164 (HIPAA Privacy Standards) or the Hospital’s policies and procedures to              Associates.
                        implement HIPAA policies.
Use and Disclosure of   It is the policy of Harbor-UCLA Medical Center to permit use and disclosure of the PHI it       To establish a policy and procedure for
PHI for Research        maintains for research, regardless of the source of funding of the research, only as provided   use and disclosure of PHI for research
                        in the policy. Specifically, Harbor-UCLA Medical Center will only permit the use and            purposes.
Policy #718             disclosure of PHI for research purposes as follows:
                               If the individual who is the subject of the PHI provides prior authorization or
                               Without the individual’s prior authorization if:
                                 An Institutional Review Board (IRB) or Privacy Board has approved a waiver or
                                     alteration of the authorization requirement;
                                 Representations are obtained from the researcher that the use or disclosure of PHI
                                     is solely for preparation for research, e.g., to prepare a research protocol;
                                 Representations are obtained from the researcher that the use or disclosure of PHI
                                     is solely for research on the PHI of decedents; or
                                 PHI is de-identified in compliance with HIPAA’s de-identification requirements or
                                     partially de-identified as a limited data set in compliance with HIPAA’s limited
                                     data set.
Use and Disclosure of   It is the policy of Harbor-UCLA Medical Center to obtain an individual’s Authorization for      To establish a policy and procedure for
PHI for Fundraising     any use or disclosure of PHI for Marketing except if the communication is in the form of:       use and disclosure of PHI for
                                           A face-to-face communication made by Harbor-UCLA Medical Center to an       Marketing purposes.
Policy # 721                 individual, or
                                           A promotional gift of nominal value provided by Harbor-UCLA Medical
                             Center.
                        If Marketing involves direct or indirect remuneration to Harbor-UCLA Medical Center from
                        a third party, the authorization must state that such remuneration is involved.




                                               HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                             Page A- 10
                                                                                                                                     APPENDIX A
                           HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                           HIPAA SECURITY
                                                  POLICY AND PROCEDURES SUMMARY

NOTE:   Harbor-UCLA Medical Center and DHS policy and procedures are referenced below. Complete copies of Harbor policy and
        procedures can be found on the Harbor Intranet or in your department’s copy of the Harbor Policy and Procedure Manual.
        Contact your CCHC Administrator for CCHC specific policies. DHS Policy and Procedures can be found on the DHS Intranet
        Website (www.ladhs.org).

 IMPORTANT INFORMATION SECURITY POLICIES FOR WORKFORCE MEMBERS
                 Implementation
                                    Harbor & DHS Policy                                        DHS Policy                   Accountability
   Standards     Specifications &
                                     Numbers & Title                                            Purpose
                      Type

                                                                    To provide direction for the development and         DHS Information
                                    731: Information                implementation of data security policies and         Security Officer
                                    Technology and                  procedures and to identify the data security
                                    Security Policy                 officials and their responsibilities.                Chief Information
                                                                                                                         Officer
                                    DHS Cross Reference:            DHS and each facility are responsible for securing
                                    935.00: DHS                     all electronic data including PHI and must also      Information Security
                                    Information Technology          comply with all regulatory, compliance and           Coordinators
                                    and Security Policy             accreditation sources such as HIPAA and
                                                                    JCAHO.                                               System Managers /
                                                                                                                         Owners
                                                                    Harbor and CCHC workforce members must
                                                                    comply with the provisions of DHS, local facility    DHS Human
                                                                    data security policies                               Resources

                                                                                                                         Workforce Members




                                        HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                      Page A- 11
                                                                                                                                APPENDIX A
                          HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                        HIPAA SECURITY
                                               POLICY AND PROCEDURES SUMMARY

IMPORTANT INFORMATION SECURITY POLICIES FOR WORKFORCE MEMBERS
              Implementation
                                 Harbor & DHS Policy                                        DHS Policy                 Accountability
  Standards   Specifications &
                                  Numbers & Title                                            Purpose
                   Type

Workforce     Authorization      734: Workforce                  To ensure workforce members have appropriate       Chief Information
Security      and/or             Security                        access to data systems and information contained   Officer
              Supervision                                        in data systems and to prevent unauthorized
                                                                 access to confidential and Protected Health        System Managers/
              Workforce                                          Information (PHI).                                 Owners
              Clearance          DHS Cross Reference:
              Procedure          935.03: Workforce               Ensures access to information systems that         Workforce Members
                                 Security                        contain PHI or other confidential information is
              Termination                                        given to workforce members based on their job
              Procedures                                         responsibilities and “need to know”.




                                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                   Page A- 12
                                                                                                                                         APPENDIX A
                              HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                              HIPAA SECURITY
                                                     POLICY AND PROCEDURES SUMMARY

IMPORTANT INFORMATION SECURITY POLICIES FOR WORKFORCE MEMBERS
                    Implementation
                                       Harbor & DHS Policy                                        DHS Policy                    Accountability
   Standards        Specifications &
                                        Numbers & Title                                            Purpose
                         Type

Security Incident   Response and       737: Security Incident          To develop, implement and maintain appropriate
Procedures          Reporting          Report and Response             security incident identification, response,           Workforce Members
                                                                       mitigation, and related documentation processes.
                                       DHS Cross Reference:                                                                  Information Security
                                       935.06: Security                Requires each workforce member to immediately         Coordinator
                                       Incident Report and             report any and all suspected and actual breaches
                                       Response                        of information security to the Information Security   Information
                                                                       Coordinator (310-222-5448) and Information            Technology Services
                                                                       Technology Services Director (310-222-5059).          Director
                                                                       Security incidents include, but are not limited to
                                                                       virus attacks, unauthorized access to electronic
                                                                       system containing PHI, or theft of electronic
                                                                       equipment storing PHI.

                                                                       Information Security Coordinator and Information
                                                                       Technology Services Director to follow
                                                                       appropriate escalation and reporting procedures
                                                                       to DHS Information Security Officer and
                                                                       Department Cyber-terrorism Emergency
                                                                       Response Team.




                                           HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                         Page A- 13
                                                                                                                                        APPENDIX A
                            HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                            HIPAA SECURITY
                                                   POLICY AND PROCEDURES SUMMARY

IMPORTANT INFORMATION SECURITY POLICIES FOR WORKFORCE MEMBERS
                  Implementation
                                     Harbor & DHS Policy                                        DHS Policy                     Accountability
  Standards       Specifications &
                                      Numbers & Title                                            Purpose
                       Type

Workstation       Workstation Use    742: Workstation Use            To restrict workstation use and access to              Chief Information
Use/Workstation                      and Security                    Protected Health Information (PHI) and other           Officer
Security          Workstation                                        confidential information by using physical,
                  Security           DHS Cross Reference:            administrative, and technical controls.                System Managers/
                                     935.11:Workstation                                                                     Owners
                                     Use and Security                Requires all users to take reasonable security
                                                                     precautions to prevent unauthorized physical           Workforce Members
                                                                     access to sensitive information from workstations
                                                                     (e.g., concealing video displays, securing

                                                                     Unattended workstations by using password
                                                                     protected screensavers, etc.).

                                                                     Requires workstations to be password protected.

                                                                      Workstation must be positioned away from
                                                                     common areas or have privacy screen installed.

                                                                     Mobile devices must be pre-approved by the CIO;
                                                                     require encryption for sensitive information; must
                                                                     not be left unattended in a non-secure area; if left
                                                                     in car, must be locked in the car and stored out-of-
                                                                     sight.




                                         HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                       Page A- 14
                                                                                                                                APPENDIX A
                             HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                            HIPAA SECURITY
                                                   POLICY AND PROCEDURES SUMMARY

IMPORTANT INFORMATION SECURITY POLICIES FOR WORKFORCE MEMBERS
                   Implementation
                                      Harbor & DHS Policy                                       DHS Policy               Accountability
  Standards        Specifications &
                                       Numbers & Title                                           Purpose
                        Type

Workstation                                                          Confidential Information is not to be stored or
Use/Workstation                                                      saved on removable media (floppy disks, USB
Security (Cont.)                                                     drives, etc.) without proper safeguards and
                                                                     authorization; removable media must be
                                                                     maintained or stored in a secure area.
                                                                     Printers for confidential information must not be
                                                                     left unattended or in a non-secure area.

                                                                     Media and information must be disposed of
                                                                     properly.

                                                                     Workstations located in a public or open area
                                                                     must be physically secured in a locked room,
                                                                     locked cabinet or strongly anchored.

                                                                     Security cameras may be used in high-risk
                                                                     locations.

                                                                     Workforce members must not install/uninstall
                                                                     software (County installed, Internet software,
                                                                     games, screensavers, patches, plug-ins) or repair
                                                                     servers or workstations without authorization.




                                         HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                       Page A- 15
                                                                                                                                     APPENDIX A
                              HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                             HIPAA SECURITY
                                                    POLICY AND PROCEDURES SUMMARY

IMPORTANT INFORMATION SECURITY POLICIES FOR WORKFORCE MEMBERS
                   Implementation
                                      Harbor & DHS Policy                                        DHS Policy                 Accountability
   Standards       Specifications &
                                       Numbers & Title                                            Purpose
                        Type

Person or Entity   Person or Entity   748: System, Person or To verify that a person or entity seeking access to
Authentication     Authentication     Entity Authentication  Protected Health Information (PHI) and other                Workforce Members
                                                             confidential information is the one claimed.
                                      DHS Cross Reference:                                                               Chief Information
                                      935.17: System,        Directs workforce members not to use another                Officer
                                      Person or Entity       person’s user ID/code, password, or other security
                                      Authentication         device to gain access to an information system.             DHS Information
                                                             Requires workforce members to verify the identity           Security Officer
                                                             of any person or entity receiving PHI or other
                                                             confidential information.

                                                                      Requires the CIO to ensure that a workforce
                                                                      member is the actual person he/she claims to be.




                                          HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                        Page A- 16
                                                                                                                               APPENDIX A
                       HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                       HIPAA SECURITY
                                              POLICY AND PROCEDURES SUMMARY

IMPORTANT INFORMATION SECURITY POLICIES FOR WORKFORCE MEMBERS
             Implementation
                                Harbor & DHS Policy                                        DHS Policy                   Accountability
 Standards   Specifications &
                                 Numbers & Title                                            Purpose
                  Type

                                627: Data Security              To ensure the proper use of County information       Workforce Members
                                Responsibility                  technology resources within Harbor-UCLA
                                                                Medical Center.
                                DHS Cross Reference:
                                935.20: Acceptable              This policy advises workforce members on the
                                Use Policy for County           proper use of DHS’ and the County’s information
                                Information Technology          technology resources. Workforce members are
                                Resources                       required to sign the County agreement containing
                                                                information on the County’s expectations on the
                                                                use of information technology resources.
                                                                Workforce members are also required to sign an
                                                                acknowledgment that they have received the
                                                                policy and the agreement. Both signed
                                                                documents will be filed in the employee’s official
                                                                personnel file. Newly hired workforce members
                                                                will be required to sign the agreement and
                                                                acknowledgment at their new hire orientation.




                                    HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                  Page A- 17
                                                                                                                                      APPENDIX A
                         HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                        HIPAA SECURITY
                                               POLICY AND PROCEDURES SUMMARY


ADDITIONAL ADMINISTRATIVE SAFEGUARDS POLICIES
              Implementation
                                 Harbor & DHS Policy                                        DHS Policy                       Accountability
  Standards   Specifications &
                                  Numbers & Title                                            Purpose
                   Type

Security      Risk Analysis      732: Security                   To create and implement security management              Information Security
Management    Risk               Management Process:             processes that ensure the security (confidentiality,     Officer
Process       Management         Risk Management                 integrity and availability) of Protected Health
              Sanction Policy                                    Information (PHI) and other confidential                 Chief Information
              Information        DHS Cross Reference:            information.                                             Officer
              System Activity    935.01: Security
              Review             Management Process:             Requires System Managers/Owners to analyze               System Managers /
              Workforce          Risk Management                 the security risk levels for each of their information   Owners
              Clearance                                          systems and develop procedures to decrease the
              Procedure                                          chance that the systems will be attacked by a
                                                                 virus or accessed by unauthorized users. They
              Termination                                        are also required to identify steps to minimize any
              Procedures                                         damage to systems and contents in the event of
                                                                 such occurrence.




                                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                   Page A- 18
                                                                                                                                   APPENDIX A
                         HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                        HIPAA SECURITY
                                               POLICY AND PROCEDURES SUMMARY

ADDITIONAL ADMINISTRATIVE SAFEGUARDS POLICIES
              Implementation
                                 Harbor & DHS Policy                                        DHS Policy                    Accountability
  Standards   Specifications &
                                  Numbers & Title                                            Purpose
                   Type

Information   Isolating Health   735: Information                To create administrative controls for access to       Chief Information
Access        care               Access Management               Protected Health Information (PHI) and other          Officer
Management    Clearinghouse                                      confidential and/or sensitive information. To
              Function                                           restrict access to those persons and external         System Managers /
                                                                 entities with a need for access is a basic tenet of   Owners
              Access             DHS Cross Reference:            security.
              Authorization      935.04:Information
                                 Access Management               Establish mechanisms and procedures requiring
              Access                                             System Managers/Owners to develop and
              Establishment                                      implement policies and procedures to
              and Modification                                   grant/restrict access to systems based on “need-
                                                                 to-know” basis, and job responsibilities. The
                                                                 policy also addresses the manner by which
                                                                 information may be accessed (workstation,
                                                                 transaction, program, process), who can grant
                                                                 access to systems, and the monitoring of
                                                                 authorized persons who need to work in areas
                                                                 containing PHI.




                                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                   Page A- 19
                                                                                                                                         APPENDIX A
                            HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                           HIPAA SECURITY
                                                  POLICY AND PROCEDURES SUMMARY

ADDITIONAL ADMINISTRATIVE SAFEGUARDS POLICIES
                Implementation
                                    Harbor & DHS Policy                                        DHS Policy                       Accountability
  Standards     Specifications &
                                     Numbers & Title                                            Purpose
                     Type

Security        Security            701: Privacy and                To outline the Privacy and Security training for the     Chief Information
Awareness and   Reminders           Security Awareness              Harbor-UCLA Medical Center.                              Officer
Training                            Training
                Protection from                                     Requires all workforce members to be trained on
                Malicious           DHS Cross Reference:            their responsibilities related to protecting the
                Software            361.24: Privacy and             confidentiality, integrity and availability of PHI and
                                    Security Awareness              other confidential information
                Log-in Monitoring   Training
                                                                    The types of training are as follows:
                Password
                Management                                                         Awareness - distributing
                                                                         information related to privacy and security
                                                                         issues;
                                                                                   Comprehensive training - role-
                                                                         based for privacy; all staff for security issues;
                                                                                   Specialized training - for specific
                                                                         workforce members who handle and maintain
                                                                         information systems; and
                                                                                   Business Associates for those who
                                                                         provide contract and purchase order services.




                                        HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                      Page A- 20
                                                                                                                                       APPENDIX A
                             HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                            HIPAA SECURITY
                                                   POLICY AND PROCEDURES SUMMARY

ADDITIONAL ADMINISTRATIVE SAFEGUARDS POLICIES
                   Implementation
                                      Harbor & DHS Policy                                       DHS Policy                      Accountability
   Standards       Specifications &
                                       Numbers & Title                                           Purpose
                        Type

Security                                                             Training includes providing workforce members
Awareness and                                                        with periodic security updates; procedures for
Training (Cont.)                                                     protecting information systems from malicious
                                                                     software such as viruses and worms; procedures
                                                                     for monitoring computer or network log-in
                                                                     attempts and reporting discrepancies; and
                                                                     procedures for creating, changing and
                                                                     safeguarding passwords

                                                                     The policy also addresses safeguarding
                                                                     passwords, user id’s and other security
                                                                     identification devices; workstation usage; new hire
                                                                     orientation; facility orientation; job specific training
                                                                     each time workforce member changes job
                                                                     responsibilities and any time HIPAA privacy or
                                                                     data security rules are revised, and whenever
                                                                     general data security policies or procedures need
                                                                     to be revised.




                                         HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                       Page A- 21
                                                                                                                          APPENDIX A
                        HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                        HIPAA SECURITY
                                               POLICY AND PROCEDURES SUMMARY

ADDITIONAL ADMINISTRATIVE SAFEGUARDS POLICIES
              Implementation
                                 Harbor & DHS Policy                                        DHS Policy           Accountability
  Standards   Specifications &
                                  Numbers & Title                                            Purpose
                   Type

Contingency   Data Backup Plan 738: Facility          To define the Facility Information Technology (IT)      Chief Information
Plan          Disaster         Information Technology Contingency plan.                                       Officer
              Recovery Plan    (IT) Contingency Plan
                                                      Requires each DHS facility to develop and               System Managers /
              Emergency Mode                          implement an IT Contingency Plan (a master plan         Owners
              Operation Plan   DHS Cross Reference: for responding to IT system emergencies (e.g.,
                               935.07: Facility       fire, vandalism, system failure, and natural
              Testing and      Information Technology disaster)) to ensure that facility/departmental
              Revision         (IT) Contingency Plan  operations can continue with minimal interruption
              Procedure                               and data recovery. The elements contained in the
                                                      plan must be based on how important the system
              Applications and                        is to the facility/department and must address
              Data Criticality                        issues such as data backup and recovery, and
              Analysis                                identification of emergency response personnel
                                                      and responsibilities.




                                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                   Page A- 22
                                                                                                                                APPENDIX A
                           HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                        HIPAA SECURITY
                                               POLICY AND PROCEDURES SUMMARY

ADDITIONAL ADMINISTRATIVE SAFEGUARDS POLICIES
              Implementation
                                 Harbor & DHS Policy                                        DHS Policy                 Accountability
  Standards   Specifications &
                                  Numbers & Title                                            Purpose
                   Type

Evaluation    Evaluation         739: Security                   To establish a process for monitoring Harbor’s     Chief Information
                                 Compliance Evaluation           compliance with the security aspects of the        Officer
                                                                 Harbor Policy No. 700: Harbor-UCLA Medical
                                 DHS Cross Reference:            Center Privacy and Security Compliance             Information Security
                                 935.08: Security                Program.                                           Coordinator
                                 Compliance Evaluation
                                                                 Requires each Harbor to annually evaluate IT       Privacy Coordinator
                                                                 security safeguards to ensure they are in
                                                                 compliance with the data security and risk
                                                                 management requirements. One of the
                                                                 safeguards (administrative, technical, physical)
                                                                 must be reviewed each year for each system.




                                     HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                   Page A- 23
                                                                                                                                    APPENDIX A
                           HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                          HIPAA SECURITY
                                                 POLICY AND PROCEDURES SUMMARY

ADDITIONAL ADMINISTRATIVE SAFEGUARDS POLICIES
                Implementation
                                   Harbor & DHS Policy                                        DHS Policy                     Accountability
  Standards     Specifications &
                                    Numbers & Title                                            Purpose
                     Type

Business        Written Contract   725 Business                    To protect individuals’ Protected Health               Contract Management
Associate       or Other           Associate Agreement             Information (PHI) transferred to, created or           Director
Contracts and   Arrangement                                        received by the Harbor-UCLA Medical Center’s
Other                                                              Business Associates by requiring contractual
Arrangements                       DHS Cross Reference:            assurances that the Business Associate will
                                   361.20: Business                safeguard the Protected Health Information and
                                   Associate Agreement             use the Protected Health Information only as
                                                                   permitted by the Business Associate agreement.

                                                                   Applicability: This policy relates to relevant Board
                                                                   of Supervisor’s Agreements and Purchase Orders
                                                                   executed by DHS for services by vendors (i.e.,
                                                                   persons or entities) that perform functions,
                                                                   activities or services, other than treatment, on
                                                                   behalf of DHS that involve the use and/or
                                                                   disclosure of protected health information.

                                                                   DHS policy prohibits its officers and agents from
                                                                   disclosing PHI to any Business Associate without
                                                                   a written agreement. The written agreement
                                                                   directs the Business Associate on how it may use
                                                                   or disclose the PHI and its responsibilities to
                                                                   safeguard the information. The policy contains
                                                                   actual contract language for Business Associates
                                                                   that covers use and disclosure of PHI.



                                       HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                     Page A- 24
                                                                                                                                   APPENDIX A
                             HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                             HIPAA SECURITY
                                                    POLICY AND PROCEDURES SUMMARY

ADDITIONAL PHYSICAL SAFEGUARDS POLICIES


                                                                                                                          Accountability
                  Implementation        DHS Policy No,                                   DHS Policy
  Standards        Specifications             & Title                                      Purpose
Facility Access   Contingency         741: Facility Access            To define the process for ensuring the physical   Chief Information
Controls          Operations          Control                         protection of Harbor’s information systems and    Officer
                                                                      infrastructure.
                  Facility Security                                                                                     System Managers /
                  Plan                DHS Cross Reference: Requires Harbor to implement policies that limit             Owners
                                      935.10: Facility     physical access to electronic information systems
                  Access Control      Access Control       and the facilities in which they are housed.
                  Plan and                                 System access must be validated based on the
                  Validation                               workforce members’ functions. The validation also
                  Procedures                               applies to visitors. The policy also addresses
                                                           security of software programs, the interior and
                  Maintain                                 exterior of premises, and equipment.
                  Records

                  Workstation
                  Security




                                          HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                        Page A- 25
                                                                                                                                 APPENDIX A
                          HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                         HIPAA SECURITY
                                                POLICY AND PROCEDURES SUMMARY

ADDITIONAL PHYSICAL SAFEGUARDS POLICIES


                                                                                                                         Accountability
                Implementation       DHS Policy No,                                  DHS Policy
  Standards      Specifications            & Title                                     Purpose
Device and      Disposal &        744: Device and Media           The purpose of this policy is to state the           System Manager /
Media Control   Media Re-Use      Controls                        requirement for controls that govern the receipt     Owners
                                                                  and removal of hardware and/or software (for
                Accountability                                    example, diskettes and tapes) into and out of
                                  DHS Cross Reference:            Harbor.
                Data Backup       935.13:Device and
                and Storage       Media Controls                  Requires System Managers/Owners to document
                                                                  the receipt, removal, reuse, and disposal of
                                                                  system hardware and software and to take certain
                                                                  precautions to make sure PHI or other confidential
                                                                  information are removed as necessary.




                                      HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                    Page A- 26
                                                                                                                                APPENDIX A
                             HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                           HIPAA SECURITY
                                                  POLICY AND PROCEDURES SUMMARY

ADDITIONAL PHYSICAL SAFEGUARDS POLICIES


                                                                                                                       Accountability
                  Implementation       DHS Policy No,                                          DHS Policy
  Standards        Specifications           & Title                                             Purpose
Access Control   Unique User        745: System Access              This policy states the technical security       Chief Information
                 Identification     Control                         requirements for electronic information         Officer
                                                                    systems to only allow access to persons or
                 Emergency                                          software programs that have appropriate         System
                 Access             DHS Cross Reference:            access rights.                                  Manager/Owners
                 Procedure          935.14:System Access
                                    Control
                                                                    Describes security measures the System
                 Automatic Logoff
                                                                    Manager/Owners must use to ensure the
                 Encryption and                                     security of information systems (e.g.,
                 Decryption                                         assigning unique user names, monitoring
                                                                    system log-in, automatic log-off,
                                                                    encryption/decryption, and maintaining system
                                                                    security documentation).




                                        HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                      Page A- 27
                                                                                                                               APPENDIX A
                           HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                          HIPAA SECURITY
                                                 POLICY AND PROCEDURES SUMMARY

ADDITIONAL PHYSICAL SAFEGUARDS POLICIES


                                                                                                                      Accountability
                 Implementation       DHS Policy No,                                          DHS Policy
  Standards       Specifications           & Title                                             Purpose
Audit Controls   Audit Controls    746: System Audit               To ensure audit control mechanisms that         Chief Information
                                   Control                         record and examine system activity are in       Officer
                                                                   place for all departmental electronic
                                                                   information systems.                            System Managers /
                                   DHS Cross Reference:                                                            Owners
                                   935.15:
                                                                   Requires Harbor to log and store system
                                   System Audit Control
                                                                   activity and develop an “audit control and
                                                                   review plan” to determine which activities
                                                                   need to be monitored, the responsibilities of
                                                                   applicable workforce members, and the
                                                                   frequency of audits.




                                       HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                     Page A- 28
                                                                                                                               APPENDIX A
                         HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                         HIPAA SECURITY
                                                POLICY AND PROCEDURES SUMMARY

ADDITIONAL PHYSICAL SAFEGUARDS POLICIES


                                                                                                                      Accountability
                Implementation        DHS Policy No,                                         DHS Policy
   Standards     Specifications             & Title                                           Purpose
Integrity      Mechanism to       747: Information                To protect Protected Health Information (PHI)    DHS Information
               Authenticate       Integrity                       and other confidential information from          Security Officer
               Electronic                                         improper alteration and/or destruction.
               Protected Health                                                                                    Chief Information
               Information        DHS Cross Reference:            Requires the CIO, and System                     Officers
                                  935.16:
                                                                  Manager/Owners to take appropriate
                                  Information Integrity                                                            System
                                                                  authentication measures based on the             Managers/Owners
                                                                  systems’ risk level to ensure data and
                                                                  information contained in systems is not          Workforce Members
                                                                  intentionally altered or destroyed. Requires
                                                                  workforce members to report any
                                                                  unauthorized destruction or alteration of data
                                                                  to the system manager/owner.




                                      HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                    Page A- 29
                                                                                                                              APPENDIX A
                            HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                           HIPAA SECURITY
                                                  POLICY AND PROCEDURES SUMMARY

ADDITIONAL PHYSICAL SAFEGUARDS POLICIES


                                                                                                                     Accountability
                Implementation         DHS Policy No,                                          DHS Policy
   Standards     Specifications              & Title                                            Purpose
Transmission   Integrity Controls   749: Transmission               To state the technical requirement that       DHS Information
Security                            Security Policy                 electronic information transmitted over a     Security Officer
                                                                    communications network must be protected in
               Encryption                                           a manner commensurate with the associated     Chief Information
                                                                    risk.                                         Officer
                                    DHS Cross Reference:
                                    935.18 Transmission                                                           System
                                    Security Policy                 Requires Harbor to take appropriate           Managers/Owners
                                                                    measures such as encryption to ensure the
                                                                    security of information transmitted
                                                                    electronically over the Internet, external
                                                                    communications and all parts of a
                                                                    communications network.




                                        HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                      Page A- 30
                                                                                                                                               APPENDIX A
                           HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                              HIPAA SECURITY
                                                     POLICY AND PROCEDURES SUMMARY


                             OTHER RELATED DHS SECURITY POLICIES AND PROCEDURES

Harbor Policy       Policy Title                                  Policy Purpose                                              Accountability
    No.
                700: Harbor-UCLA       To define the Privacy and Security Program for                               Workforce Members
                Medical Center         Harbor-UCLA Medical Center
                Privacy and Security
                Compliance             Summarizes the elements of the DHS Privacy and
                Program                Security Program which includes:

                DHS Cross                              Training of workforce members
                Reference:                             Disciplinary action for failure to follow
                361.1: Department           privacy and security policies
                of Health Services                     Development of policies and
                Privacy and Security        procedures to safeguard all aspects of PHI and
                Compliance                  other confidential information
                Program                                Whistleblower and workforce crime
                                            victims protections
                                                       Mitigation, non-retaliation, the complaint
                                            process, implementation, and documentation
                                                       Assignment of responsibility to
                                            implement and enforce policies and procedures
                                            protecting PHI and other confidential information.

                706: Safeguards for    To establish safeguards that must be implemented by                          Workforce Members
                Protected Health       Harbor-UCLA Medical Center to protect the
                Information            confidentiality of protected health information.

                                       Describes the minimum standards for ensuring the
                DHS Cross              confidentiality of Protected Health Information (PHI).
                Reference:             The policy addresses: oral communications, cellular
                361.23: Safeguards     telephones, telephone messages, faxes, U.S. Mail,

                                           HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                         Page A- 31
                                                                                                                                                APPENDIX A
                           HARBOR-UCLA MEDICAL CENTER / COASTAL CLUSTER HEALTH CENTERS

                                                            HIPAA SECURITY
                                                   POLICY AND PROCEDURES SUMMARY

Harbor Policy       Policy Title                                Policy Purpose                                                 Accountability
    No.
                for Protected Health   destruction standards, physical access to PHI,
                Information            technical safeguards, use of electronic systems (i.e.,
                                       PDAs, E-mail, WLANs, electronic transmission of
                                       clinical laboratory tests) and document retention.

                                       This policy requires each workforce member to sign
                                       acknowledgment of DHS Guidelines Governing the
                                       Use of E-Mail Involving Protected Health Information
                                       (PHI).

                750: Data Security     To establish documentation requirements for data                           Chief Information Officer
                Documentation          security policies and procedures and for Health
                Requirement            Insurance Portability and Accountability Act (HIPAA)
                                       Security Rule implementation decisions.
                DHS Cross
                Reference:
                935.19: DHS Data       Requires Harbor-UCLA Medical Center to maintain
                Security               policies and procedures in paper or electronic form,
                Documentation          and all other data security documentation, including
                Requirement            security actions taken and assessments, for at least 6
                                       years or as required by any regulatory, compliance
                                       and/or accreditation agency. Requires documents to
                                       be readily available to appropriate users and auditors.




                                         HIPAA Privacy and Securiity Compliance Self Study Guide: Comprehensive
                                                                       Page A- 32

				
DOCUMENT INFO