Ten Simple HIPAA Tips

  1. Ensure discussion of PHI (protected health information) is where you cannot be easily overheard. 
  2. ePHI should not be saved on unencrypted devices such as laptops, desktops, servers, USB drives, etc.
  3. When leaving your workstation unattended, logoff or manually lock your workstation.
  4. Computer equipment should not be left unsecured such as in an unattended vehicle or hotel room.
  5. PHI should not be left on a copier or scanner unattended.
  6. Paper PHI should be disposed of properly by shredding.
  7. Keep passwords safe. Do not write down or share your password.
  8. Double check fax numbers and email addresses to ensure you have the correct information before faxing or emailing PHI.
  9. Patient photos or stories require a signed authorization prior to taking or using. Authorization forms can be obtained on the Reliant portal.  
  10. Report suspected HIPAA violations to your supervisor or the company privacy officer.  Reliant employees may contact their Privacy and Information Security Officer at privacy@reliant-rehab.com.

HIPAA Happenings: Holiday Phishing

Cyber criminals take advantage of the holidays to disguise their phishing campaigns and malware as seasonally accepted email. Requests for donations to fraudulent organizations, bogus holiday advertisements, and posing as package delivery services are common this time of year.
Click here to view a real example of a phishing email impersonating Federal Express.

What to Do If You Suspect You Are a Victim of Phishing:

  • Change your password immediately.
  • Contact your IT Department.
  • For Reliant employees contact support@reliant-rehab.com or call 225-767-7670.

Common HIPAA Violations Employees May Not Realize

Have you ever or do you routinely email Protected Health Information (PHI) to your personal email account so you can catch up on work outside of the facility?  With the many demands of the job to get the work done, it can be tempting.  This commonly results in a HIPAA violation as the information is not properly protected and more easily breached!  Although your intentions may be good, this is not an appropriate practice. Your company may have a policy directly relating to PHI. Reliant employees should refer to Policy 8.3 – Use of E-Mail and Text Messaging for full policy information.

The same caution applies to taking paper patient information outside of the facility.   Removing protected health information from a healthcare facility places that information at risk of exposure.  Without appropriate measures in place to safeguard this information in transport and outside of the facility, it is in violation of HIPAA Rules.  Reliant employees should refer to Policy 3.14 – IT Equipment Protection & Physical Access Controls for full policy information.

Guide to Personally Identifiable Information (PHI)

Whether at work, at home, or on the go, data that is often the top target of
cybercriminals is all around us. Protecting that data isn’t a highly technical process, but
rather one that requires common sense and a strong commitment to privacy in every
aspect our lives!


What is PII?
PII, or personally identifiable information, is sensitive data that
could be used to identify, contact, or locate an individual.


What are some examples of PII?
PII includes (but is not limited to) home addresses, personal email addresses,
national ID numbers, credit card numbers, and personal phone numbers.


What are some examples of non-PII?
Info such as business phone numbers and email addresses, race, religion,
gender, workplace, and job titles are typically not considered PII. But they
should still be treated as sensitive, linkable info because they could identify
an individual when combined with other data.


Why is PII so important?
On a personal level, our PII is necessary to acquire some goods and services, such
as medical care and utilities. But in the wrong hands, PII leads to identity theft
and other forms of fraud. On a professional level, you may store PII of customers,
clients, vendors, contractors, employees, and partners. If left unprotected, your
organization could face steep fines and your reputation could be severely damaged.


How do you protect PII at work?
Protecting PII begins and ends with following your organization’s security
policies, which were created to ensure that the data remains
private. Treat all requests for sensitive info with a high degree of scrutiny, stay
alert, think before you click, and if you have any questions, ask them!


How do you protect PII at home?
Develop a home security policy similar to those at work, which calls for common
sense practices, such as not clicking on random links and attachments, guarding
personal info online and in real life, destroying sensitive documents beyond
recognition and setting social media profiles to fully private.

“Protect” Protected Health Information (PHI)

Phishing attacks are non-stop year-round, and attackers take advantage of holidays and other seasonal events, like tax time, to trick you into clicking links to provide User IDs and passwords. When a phishing attempt is successful, the “Bad Actor” obtains your email login information, and can use your email account to obtain data. Do you have resident information such as face sheets in your emails? If so, there is a wealth of PHI that criminals can use to commit fraud and identity theft. Stay vigilant with these tips.

HIPAA Privacy Rule Refresher

Refresh your memory with some of the Privacy Rule points below.

• HIPAA’s Privacy Rule goal is to protect the confidentiality of patient/resident healthcare information.

• Protected Health Information (PHI) is individually identifiable health information collected from an individual and created or received by a health care provider, health plan, or health care clearing house relating to past, present, or future physical or mental health conditions of an individual.

• Information is “individually identifiable” when any one or more of 18 types of identifiers can be used to identify an individual (e.g. name, address, dates such as birth date, account number etc.)

• The HIPAA Privacy Rule applies to healthcare organizations, healthcare plans, healthcare clearinghouses, and Business Associates with access to Protected Health Information (PHI).

• PHI can be in paper form, electronic as well as in verbal communications.

• Photos and videos of patients/residents are PHI and require documented authorization to take and use. • Access to PHI must be restricted to the minimum access needed to accomplish the intended objective.

• PHI cannot be used or disclosed without documented patient authorization unless it is for any of the following purposes or situations:

o Use or disclosure to the patient

o Use or disclosure for treatment, payment, or general healthcare operations

o Use or disclosure if the individual has the opportunity to agree or object to a disclosure such as a patient bringing a family with them when discussing care with a physician

• Covered Entities (CE) are required to provide residents/patients with a Notice of Privacy Practices (NPP) to tell how the CE may use and share their health information.

• Disposal of documents containing PHI must be rendered unreadable. Shredding is the most common method of disposal. Before disposal, be sure to follow your organization’s data retention policies.

For more information regarding HIPAA Privacy, visit www.hhs.gov.

Keep Information Safe with Good Password Practices

These days we’re all overloaded with the number of accounts that require credentials and remembering them is impossible. Using the same password for different accounts is tempting—like having one handy key that opens every lock you use. But reusing passwords is not the solution.

Compromised passwords are one of the leading causes of data breaches, and reusing passwords can increase the damage done by what would otherwise be a relatively small incident. Cybercriminals know that people reuse credentials and often test compromised passwords on commonly used sites in order to expand the number of accounts they can access.

For instance, if you use the same password for your work email as for Amazon or your gym membership, a breach at one of those companies puts your work emails at risk. Reusing credentials is like giving away copies of the key that opens all your locks. Before reusing a password for different accounts, especially across work and personal ones, think of all the data that someone could get into if they got that credential.

Here are some tips to help you avoid falling in this trap:

• Use completely separate passwords for work and personal accounts.

• Avoid words that can easily be guessed by attackers, like “password” or “September2017,” or predictable keyboard combinations like “1234567,” “qwerty,” or “1q2w3e4r5t.”

• Add some complexity with capitalization or special characters if required. “Fido!sAnAwesomeDog” is a stronger password than your pet’s name.

• Just adding numbers or special characters at the end of a word doesn’t increase security much, because they’re easy for software to guess.

• Avoid words like your kids’ names that could easily be guessed by coworkers or revealed by a few minutes of online research.

• Answers to security questions are often easily found— your mother’s maiden name is public record—so pick another word for whenever that question comes up.