MyEZHealth logo white

HIPAA Privacy and Security

What is HIPAA?

The Health Insurance Portability and Accountability Act or HIPAA, is a Federal law which means that compliance with it is mandatory. The purpose of the law is to protect the privacy and security of patient information by ensuring that no one or the information is necessary for treatment, payment, or operations purposes.But, protecting patient privacy is not new. Health care organizations were bound to protect patient privacy long before HIPAA laws were passed in 1996. There are additional protections under New Jersey law; some of which relate to alcohol and substance abuse treatment, additionally, our Joint Notice of Privacy Practices details how MyEZHealth may use and disclose patient information and informs about their rights.

BE HIPAA AWARE

  • Keep ALL patient information private! ONLY access and disclose the minimum necessary amount of Protected Health Information (PHI) to get your job done
  • Think before you access or share information. This includes the protected health information of members of your family, friends, coworkers, celebrities’ public figures, etc. Ask yourself “Do I need this information to do my job?” If not, then don’t access the patient record. You may not access, alteration and/or destruction of PHI will result in disciplinary action.
  • Don’t leave PHI unattended or exposed to the public. Cover or turn paper documents over, close the lid of the WOW or shut a door.
  • Always as for the Confidentiality Code, even if you believe you know the individual asking or calling for information about a patient. If the individual doesn’t have the code, only general information can be provided. Patients also have a right to have their name included in the facility directory. If the patient decided not to participate in the directory, you can provide NO information with the Confidentiality Code!
  • Know who is around you! DON’T discuss PHI in areas where you can easily be overheard such as in elevators, the cafeteria, or busy waiting rooms.
  • Everyone loves a good story but DON’T discuss patient information over the dinner table- what you learn, hear and see at work needs to stay at work!
  • ALWAYS ask a patient if it is okay to speak to them in front of family members, friends, and visitors. If not, make the appropriate accommodations such as asking visitors to step outside the room, and close the curtain between patients to protect patient privacy.

Fax and Email Communications

  • HIPAA regulations acknowledge that there are times when patient information must be shared via fax with other patient’s PHI. Some of these protections include:
    • Location the fax machine in a private place, ALWAYS use a cover page with HIPAA compliant language such as the one found with our HIPAA Policy P7
    • Always verify/double check the recipient’s fax number BEFORE hitting the “send” buTTon. Regularly ask for a confirmation back that the person or facility has received the requested information. Lastly, check the fax machine often for incoming documents as these forms deserve the same amount of protection as outgoing paperwork.
  • The Privacy Rule also allows for health care providers to communicate patient information via email provided the sender takes precaution when doing so. Before hitting “send” you need to:
    • Check the email address for accuracy.
    • If unsure of the email address, send an email alert to the patient to confirm the email address before sending any PHI.
    • Emails Containing PHI should be sent via the secure server unless the patient has indicated a preference.
    • DO NOT forward emails containing treatment and/or confidential patient communications.

SECURITY

Physical Security

  • Be Vigilant: personal health information, confidential or sensitive information as well as computers, tablets and phones are valuable and are targets of theft.
    • Position monitors are away from public view and use a minimal amount of patient data so they can’t be easily read by others.
    • Limit public access to file cabinets and computers. Do not leave any sensitive information on your desk or others. Always lock desks and file cabinets when possible.
    • Log off or lock your computer, even if you only step away for a minute. Just getting a cup of coffee could allow someone to read confidential email or files only you should see.
    • When traveling, protect your MyEZHealth owned portable device. Do not leave devices unattended in a care or unsecure hotel room. It only takes a thief seconds to break a window and run away with your belongings!
    • If portable device such as a laptop or phone is stolen:
      • Report theft to local police
      • Report to MyEZHealth security Officer
  • If you see someone doing something inappropriate, accessing information they should not or they are unfamiliar in an area restricted from public then contact your manager and MyEZHealth security officer.

Cyber Security

  • Your account= YOU! NEVER share your log-in and/or password. If someone uses your account for inappropriate access or abuse you will be held accountable for this individual’s actions. MyEZHealth will never ask for your password.
  • Use long and complex passwords-do not use your name, MyEZHealth or other obvious words or phrases!
  • Be aware and skeptical when receiving emails- avoid falling for a scam to click a malicious link or open a malicious attachment. If you do not know the sender, if it has nothing to do with your job-DELETE IT.
  • Do not download or attempt to install software on your computer. What appears to be harmless may be malicious and disrupt the entire Enterprise.
  • Understand that access to the internet, email, applications and computers are provided to perform your job effectively and efficiently-it is not for personal use.
  • Any attempt to circumvent test or compromise computer or communication system security measures is strictly prohibited.
  • Do not send PHI via email unless it is approved and absolutely necessary for your job. Encrypt outgoing emails by using the phrase ZIXSECURE in the subject line.
  • PHI must be protected when it travels. If placed on external media, the media must be encrypted-Contact MyEZHealth for assistance.
  • Report security problems. If sensitive information is lost, disclose or suspected of either contact MyEZHealth.
  • Never post patient information on social media sites, such as Facebook or Twitter regardless of how unrecognizable or innocent you believe the message to be. Do not attempt to represent MyEZHealth in any manner unless explicitly approved by Marketing. Take great care in your personal social media presence-what is placed on the internet, stays on the internet indefinitely.
  • Never text ANY data, including patient photos.

Breach of PHI (NEW 2017)

  • Even when we take the utmost care in protecting a patient’s information, disclosures to unauthorized individuals can happen. Incidents such as providing the patient with another individual’s discharge instructions, throwing a patient label In the regular trash, sending a fax to the wrong number, or forwarding an email containing PHI to an unauthorized individual, are all considered to be a breach of patient information.
  • When a breach is found to have occurred MyEZHealth is required to notify the patient as well as the Office for Civil Rights of the incident. MyEZHealth could be cited and/or fined for the violation. In addition, such carelessness may destroy the trust our patients have in MyEZHealth.

Disposal of PHI

  • PHI is available in many forms such as paper, labels, photographs, electronics (i.e., flash/thumb drives) etc. and should NEVER go in the regular trash. Always use DocuVault Shredder boxes for paper documents that contain PHI and contact/send any portable media to MyEZHealth for disposal.
  • You can’t take it with you…; In other words it is a HUGE no-no to take patient information, such as the census logs or patient labels with you when you leave.

How to be a HIPAA Champion

  • Always think patient privacy first.
  • Never guess about how a HIPAA issue should be handled. Contact MyEZHealth.
  • Avoid sharing PHI with anyone who doesn’t have a need to know. This includes co-workers, family, and friends.
  • Keep your passwords safe and secure and avoid unauthorized programs and websites.
  • Know your privacy and security policies and procedures, including the user agreement and Rule of Thumb guidelines below and follow the everyday.

10 POINTS OF HIPAA PRIVACY

  1. Protect PHI at all times. Never access records of family (including spouses), friends, or others unless authorized to do so.
  2. Access, use or provide only the minimum necessary PHI needed for a task or request.
  3. Cover, turn over, or lock up PHI that is not in use.
  4. Report all disclosures of PHI to the supervisor or Privacy office.
  5. Don’t discuss PHI, medical or billing records outside of work under any circumstances.
  6. Protect PHI in emergencies after the emergency is resolved.
  7. Dispose of PHI according to current policies and procedures. NEVER dump un-shredded PHI in regular trash.
  8. If discussing PHI around others, lower your voice or move to a more private area if possible.
  9. Protect PHI on computers, cell phones, fax machines, smart phones, and other electronic devices.
  10. If you have a privacy or security question, ask the nursing supervisor, CMO, security office, or privacy officer.

10 SECRETS OF HIPAA SECURITY

  1. Protect PHI at all times. Never access records of family (including spouses), friends, or others unless authorized to do so.
  2. Beware of hackers and scammers impersonating staff. Verify identities before giving access.
  3. Use strong password and time-bases screen savers on all computers and workstations.
  4. Never leave computer files containing PHI open and unattended if you need to walk away from them.
  5. Always be alert to the potential for fake emails. If you don’t recognize the sender then don’t open it.
  6. Use encryption, for emailing ePHI or don’t send it.
  7. Never dispose of ePHI that is stored on portable devices without contacting IT for appropriate direction.
  8. Protect ePHI on computers. Cell phones, fax machines, smart phones, portable media devices, as well as all other electronic devices.
  9. Immediately report security violations to the Security Officer.
  10. If you have a privacy or security question, ask the supervisor, CMO, or privacy officer.

Network Accounts Confidentiality Agreement

CONFIDENTIALITY STATEMENT AND REQUIRED USER SIGNATURE

I understand and agree that the information/data I have been authorized to access is considered CONFIDENTIAL. Under NO circumstances will such information available to me be used, conveyed, or discussed by me, unless required in the performance of my duties. I will adhere to all organizational policies that define the confidential information and the protection of that information at MyEZHealth. Use of any computing resource at MyEZHealth including, but not limited to wireless ,PDA, internet, company issued smartphone, or Remote Access is strictly for business purposes. System access will be tracked and monitored for proper use.Furthermore, I agree to the following:

  1. I will not make any unauthorized copies of date, which includes photography and will not save any confidential information to portable media devices (memory sticks, CDs, and other devices)ti
  2. I will not email data to another email account except as expressly provided for in the secure networking environment provided by MMLti
  3. I ACKNOWLEDGE THAT MY AUTHENTICATION CODE AND PASSWORD IS THE LEGAL EQUIVALENT OF MY SIGNATURE. I AGREE THAT I WILL NOT DIVULGE, RELEASE OR SHARE MY AUTHENTICATION CODE OR DEVICE OR PASSWORD WITH ANY OTHER PERSON, INCLUDING ANY ASSOCIATE OR PERSON ACTING ON MY BEHALF, AND I SHALL NOT PERMIT ANYONE ELSE TO ACCESS ANY INFORMATION UNDER MY AUTHENTICATION CODE OR DEVICE OR PASSWORD, AND FURTHER AGREE NOT TO USE OR RELEASE ANYONE ELSE’S AUTHENTICATION CODE, DEVICE OR PASSWORD
  4. I ACKNOWLEDGE THAT I AM RESPONSIBLE FOR ALL USAGE ON MY ACCOUNT AND THE MY ACCOUNT MAY BE MONITORED AT ANY TIME:

E: I agree to notify MyEZHealth IMMEDIATELY if I become aware or suspect that another person has access to my authentication code, device or password or otherwise become aware of a potential or actual breach and/or if I have reason to believe that the confidentiality of my password is broken or believe that there has been misuse of data;

Fti I agree to lock or log out of my workstation before leaving my work area to prevent other from accessing confidential information;

  1. I agree to never access data including accessing data of my family members, friends or coworkers, celebrities, public figures etc unless necessary to perform my job
  2. I will not install or use illegal copies of software on corporate computers;
  3. I will not text any data except as expressly provided for in the approved smart phone application and consistent with the Secure Text messaging Policy.
  4. I am aware that any authorized access to, alteration or destruction of PHI, as well as my own records, will result in disciplinary action, up to and including termination.

HIPAA and IT Security Help

  • Contact MyEZHealth security office: support@myezhealth.com

CONCLUSION

  • ALWAYS remember to treat every patient’s PHI with the same respect and care that you would want your own information to receive.