HIPAA Policies & Procedures

HIPAA training is mandatory for all new hires, and annually thereafter for all UBMD employees. 

Click here to access the training video.

The password for training is: ubmd (all lower case). At the end for the video, a 10 question quiz will appear. You must successfully complete the quiz for training to be complete.

Note: We have found that the link will not work with Internet Explorer. A different search engine, such as Google Chrome or Safari, must be used.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. HIPAA is a federal law, with civil and criminal penalties of up to $1,500,000. UBMD has a separate, detailed set of privacy, security and breach notification rules, policies and procedures, and all employees are directed to reference those policies and procedures for more comprehensive guidance on HIPAA.  

The HIPAA Privacy Rule ensures the privacy of patient health care information, restricts the use and release of medical records, and gives patients more control over how that information is used.  Providers are required to make a reasonable effort to protect patient privacy at all times.  A patient’s authorization is required before using or releasing Protected Health Information (PHI) for purposes other than treatment, payment, or health care operations.  

The Privacy Rule holds health care providers accountable for privacy violations with serious penalties for non-compliance. 

The HIPAA Security Rule ensures protection of electronic Patient Health Information (ePHI).  The Security Rule provides administrative, physical and technical safeguards to be followed to protect confidentiality, integrity and availability of ePHI containing patient information such as name, address, social security number, billing information and physician notes. 

Administrative safeguards include setting standards on who has authorization to access ePHI; employing systems to detect, correct and prevent breaches in security; setting policies and plans for handling violations and responding to emergencies or natural disasters; creating retrievable back-up systems off site; performing ongoing evaluations and audits to ensure compliance with the Security Rule.

Physical safeguards include the implementation of access controls which limit access of ePHI, such as regularly changing passwords, PIN numbers, unique user IDs, automatic log-off, and recognized restricted areas for computers and equipment.

Technical safeguards include software technology which is often put in place by IT experts, such as virus-checking software, encryption, digital signatures and internal monitoring and audit systems.

The Breach Notification Rule requires HIPAA covered entities and their business associates to notify affected individuals, HHS and, in some cases, the media, when PHI has been improperly disclosed. Most notifications must be provided without unreasonable delay, and no later than 60 days following the breach discovery.

Generally, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.  An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been mitigated.

There are three exceptions to the definition of “breach”:                                                                                         

• The first applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
• The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
• The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

*Always contact the UBMD Compliance Officer immediately if you suspect a breach may have occurred, to first, determine if there was in fact a breach; and second, to ensure all required steps are taken, and proper notification is made.

HIPAA Business Associate Agreement (BAA) is a written agreement which is required by the HIPAA Privacy Rule, and signed by a business associate, before PHI can be shared between a covered entity and a business associate. The agreement gives assurances that the business associate will not use or disclose PHI in a manner that contradicts requirements of the Privacy Rule.  The BAA must define the function of the business associate, as well as the limitations on their uses and disclosures of PHI.  It must also define what will happen to the PHI held by the business associate upon termination of the agreement.

BAAs are also required between a covered entity and business associate who isn’t given direct access to PHI, but may come across it while doing their work (ie: a cleaning company).

Notice of Privacy Practices (NPP) The HIPAA Privacy Rule requires health care plans and covered health care providers to distribute an NPP to their patients, usually on their first visit.  The notice must also be posted in a clear and easy to find locations where patients are able to see it, and a copy must be provided to anyone who asks for it.  It must also be posted on an organizations website if they have one. The NPP must describe:

• How the Privacy Rule allows provider to use and disclose protected health information. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason;
• The organization’s duties to protect health information privacy;
• The patients’ privacy rights, including the right to complain to HHS and to the organization if they believe their privacy rights have been violated; and
• How to contact the organization for more information and to make a complaint.