Welcome to your HIPAA Training

You are receiving this training because your role at Abbott may require access to Protected Health Information (PHI).

In this course, you will learn about the Health Insurance Portability and Accountability Act (or HIPAA). HIPAA is a federal law that sets the standard for how Abbott is able to use, disclose, and maintain PHI.

As a company that places a high value on protecting data, including PHI, we want to make sure you have the skills necessary to handle and protect such sensitive information.

Thus, throughout this course, we’ll look at HIPAA and best practices for protecting PHI.

Upon completion of this course, you will be able to:

• Recognize the importance of HIPAA and how it applies to Abbott.
• Identify key examples of PHI and how to protect privacy when using and disclosing such sensitive information.
• Identify your responsibilities to identify and report privacy and security incidents.
• Recognize the consequences for non-compliance with HIPAA.

The course will take 30 minutes to complete.

The icons at the top of the screen provide one-click access to key resources:

• The Table of Contents,
• Important contact information, and
• Reference material.

In addition, you can use the Exit icon to close the course window.

There are several features to help guide you through the course:

• The Back and Forward arrows allow you to move from screen to screen.
• A horizontal slider bar at the bottom of the screen allows you to see where you are in the course.
• Table of Contents lets you navigate to previously viewed content.

Knowledge Check

Once you have reviewed the content of this course, you will be required to complete a 10-question Knowledge Check.

You must score 80 percent to certify completion of this course.

Protected Health Information (PHI) is any piece of health information that identifies an individual or could be used to identify an individual.

The U.S. Department of Health & Human Services defines Protected Health Information as:

Any information, including demographic information, which relates to: the individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.”

Activity: Learn More

HIPAA applies to all PHI, regardless of how it’s communicated - whether it’s shared verbally, in writing, or through electronic methods.

Examples of PHI include - patient’s name, health care payments, treatment dates, and treatment location.

CLICK LEARN MORE FOR AN EXPANDED LIST OF HIPAA IDENTIFIERS.

Activity: Learn More

Learn More

HIPAA Identifiers include:

• Names
• Phone and fax numbers
• Email addresses
• Vehicle identifiers, including VIN and license plate numbers
• Device Model and Serial Number
• Postal Address
• Account numbers
• Medical Record/prescription numbers or Health Plan numbers
• Certificate/license numbers
• Full images of a person, including photographs of a full face
• Social Security Numbers
• URLs and IP addresses
• Identifying dates, including Date of Birth, Date of Death, Treatment Dates
• Biometric identifiers, including finger and voice prints
• Any other unique identifying number, characteristic, or code

Activity: Pop Up

Your ability to protect PHI depends on your ability to recognize PHI.

CLICK EACH OF THE PANELS TO VIEW EXAMPLES OF DOCUMENTS AND SITUATIONS WHICH MAY CONTAIN PHI.

Activity: Pop Up

Written Health Information

Any information that relates to an individual’s health care or payment, including the following:

• A patient ID card.
• An employee benefits registration form.
• An order or billing invoice containing patient information.

Activity: Pop Up

Electronic Health Information

Any information that relates to an individual’s health care or payment, including the following:

• A health care plan’s claims data in electronic form.
• Any patient information stored electronically in Abbott’s systems or databases.
• An email containing patient information.

Activity: Pop Up

Spoken Health Information

Any information that relates to an individual’s health care or payment, including the following:

• A conversation between an Abbott employee and a customer about the patient’s insurance coverage.
• A discussion with a patient or their health care provider about the patient’s treatment.

Activity: Selection

Now that you know what PHI is and why it’s important, take a moment to review some different documents and assess whether HIPAA would apply.

Simply click on PHI or Not PHI to move the information into its correct folder.

Activity: Selection

Patient Contact Information.

PHI

This example contains PHI.

Not PHI

Activity: Selection

A patient ID card.

PHI

This example contains PHI.

Not PHI

Activity: Selection

An Annual Report.

PHI

This example does not contain PHI.

Not PHI

Activity: Selection

Notice of privacy practices.

PHI

This example does not contain PHI.

Not PHI

Activity: Selection

A Product Brochure.

PHI

This example does not contain PHI.

Not PHI

Activity: Selection

An insurance registration form.

PHI

This example contains PHI.

Not PHI

Activity: Selection

That’s correct!

That’s not correct!

Well done!

Click the forward arrow to continue.

Who is responsible for complying with HIPAA?

All Abbott personnel in the United States (including US territories) who handle PHI are required to comply with the HIPAA regulations.

Activity: Pop Up

In addition, anyone who has access to or handles PHI on behalf of Abbott, such as external service providers or vendors, are also required to comply with HIPAA.

Covered Entities, Business Associates, and Subcontractor Business Associates are required to have agreements in place which ensure PHI is adequately protected.

CLICK EACH OF THE PANELS TO LEARN MORE ABOUT THE TYPES OF ORGANIZATIONS COVERED BY THE HIPAA REGULATION.

Activity: Pop Up

Business Associates

A Business Associate is an individual or entity who creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. A Business Associates’ functions may include, remote monitoring, billing, accounting, legal, or IT services.

For Example

• Abbott is a Business Associate for the remote monitoring services it provides with Merlin.net and CardioMEMS.

Activity: Pop Up

Covered Entities

Covered Entities include health plans, health care clearinghouses, and health care providers. Many of Abbott’s US-based customers are Covered Entities.

For Example

• At Abbott, Acelis Connected Health, Redwood Toxicology, and Alere Toxicology are all Covered Entities.

In addition to regulating how PHI is used and safeguarded, HIPAA also provides specific rights to individuals whose PHI may be used, disclosed, or maintained.

Abbott recognizes these rights within our US Privacy Policy, which describes our organization's privacy practices, including how Abbott complies with applicable regulations such as HIPAA.

Our Privacy Policy clearly explains what information may be collected; how the information may be used, disclosed, or maintained; and what privacy rights the individual has in regards to his or her information.

The Policy applies to our customers, employees, and the general public, and can be accessed any time by visiting Abbott’s public website.

How does this impact our business?

While all states are required to follow HIPAA, many have expanded on the regulation, by creating their own medical privacy information protection laws. Thus, producing additional requirements that Abbott and companies across the United States must follow when handling their residents’ health information.

Activity: Panels

Because Abbott’s operations extend to all 50 states, we are required to comply with the applicable laws in each state.

CLICK EACH OF THE PANELS TO LEARN HOW INFORMATION PROTECTION AND MEDICAL PRIVACY LAWS VARY BY STATE.

Activity: Panels

Organizational Policies & Procedures

State laws may vary in the organizational policies and procedures required by a company to help ensure the privacy and protection of information.

Activity: Panels

Privacy & Security Breach Definitions

State laws may vary in how a privacy or security breach is defined and what is considered a breach.

Activity: Panels

Breach Reporting Requirements

Breach reporting requirements vary by state, which often include who, what, when, and how a breach must be reported.

Activity: Panels

PHI Definitions

State laws may vary in how Personal Information and/or Health Information is defined and what types of information are included under these definitions.

Activity: Question

You receive a document containing an individual’s name, address, e-mail address, device implant date, and implanted device model and serial number.

Which of the information is considered PHI?

Submit

Activity: Options

[1] Device implant date.

[2] Model and serial number of implanted device.

[3] All of the information is PHI.

[4] None of the information is PHI.

[5] Name, address, and e-mail address.

Activity: Result

Try Again

That’s not correct!

That’s partially correct!

That’s correct!

Please review your answer choice(s) and click the Try Again button above.

Activity: Feedback

An individual’s name, address, e-mail address, device implant date, and the model and serial number of an implanted device are all considered PHI.

Click the forward arrow to continue.

Activity: Question

What’s your responsibility in protecting PHI?

Check all that apply and click the Submit button below.

Submit

Activity: Options

[1] To know and follow our organization’s HIPAA policies for safeguarding PHI.

[2] To know what PHI is and report all violations to Global Privacy.

[3] None. I don’t ever work with PHI.

Activity: Result

Try Again

That’s not correct!

That’s partially correct!

That’s correct!

Please review your answer choice(s) and click the Try Again button above.

Activity: Feedback

All Abbott personnel have a responsibility to protect PHI. This includes following Abbott policies and practices that are designed to help to safeguard an individual’s personal information.

Click the forward arrow to continue.

Activity: Question

Most states have created their own medical privacy laws. Does this mean they are exempt from complying with HIPAA?

Submit

Activity: Options

[1] Yes.

[2] No.

Activity: Result

Try Again

That’s not correct!

That’s partially correct!

That’s correct!

Please review your answer choice(s) and click the Try Again button above.

Activity: Feedback

HIPAA applies to all states. However, the general standard is that if a state’s law is more protective of individual’s PHI, companies are required to adhere to both HIPAA and the state’s additional requirements.

Click the forward arrow to continue.

Summary

You have completed the Introduction to HIPAA section of this course. Before you proceed, here are a few key points to remember.

• HIPAA requires that we protect all PHI that we use, disclose, or maintain on behalf of our employees and customers.
• PHI is any piece of individually identifiable health information that includes any of the HIPAA PHI identifiers.
• HIPAA regulations apply to all PHI, regardless of the form or format.
• Abbott’s Privacy Policy describes how Abbott will use, disclose, and protect the privacy of health information, and the privacy rights of individuals, in accordance with HIPAA.
• Everyone at Abbott is responsible for ensuring the PHI we use, disclose, or maintain on behalf of our customers and employees is protected and secure.
• Because Abbott’s operations extend to all 50 states, we are required to comply with the applicable laws in each state.

Regardless of your role, it’s important to understand that we are only able to use PHI for the purposes for which it was collected and allowed to disclose (share) PHI under specific circumstances.

Activity: Panels

Always remember, prior to disclosing any PHI, you must first verify both the identity and authority of the person making the request.

CLICK EACH OF THE PANELS TO LEARN WHEN IT WOULD BE ACCEPTABLE TO DISCLOSE PHI AND THE CONDITIONS THAT MUST BE MET.

Activity: Panels

For treatment, payment, and healthcare operations (TPO).

Disclosures for Treatment Payment and Healthcare Operations may include:

• A treating doctor or doctor’s representative requesting information on a patient’s device, lead orientation, or other patient information.

Keep in mind: In such cases, Abbott may only disclose the requested PHI if it directly relates to the support of an individual’s treatment, such as facilitating payment, or other healthcare-related operations.

Activity: Panels

When responding to individual’s requests.

Disclosures relating to an individual’s request may include:

• A patient requesting access to their own information.
• A patient’s authorized representative (such as a spouse) or legal guardian that’s requesting the patient’s information.

Keep in mind: Before disclosing any information, you must first verify the requestor is the patient; the patient’s authorized representative, or legal guardian.

Activity: Panels

When authorization is required.

Disclosures requiring authorization may include:

• Posting a patient’s story on social media, such as Facebook or Twitter.
• Discussing a specific patient’s condition to support a product-related training.

Keep in mind: We need to be sure that the patient authorizes the specific use or disclosure - prior to their PHI being used. Contact Global Privacy with any questions around this topic.

Activity: Panels

When we are required by law.

Disclosures required by law may include:

• Reporting certain device-related events, such as product recalls, repairs, or adverse events, to the FDA.

Keep in mind: We are legally required to disclose information in certain situations, reporting to the FDA is one of them.

Another important part of HIPAA’s use and disclosure requirements is what’s referred to as the “minimum necessary” standard.

Let's take a look at how the standard applies to the ways in which we can use and disclose PHI as well its exceptions.

When we use of disclose PHI, the minimum necessary standard requires that a reasonable effort is made to use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose.

The minimum necessary standard should be applied to most situations where PHI is used and disclosed.

However, there are a few exceptions, namely:

• Use and disclosures that relate to an individual’s treatment.
• Use and disclosures which have been authorized by the individual in the form of a HIPAA compliant authorization.

Just remember, by applying the minimum necessary standard, you are playing an active role with helping Abbott limit any unnecessary or inappropriate access to an individual’s PHI.

Activity: Question

To what extent can you use, access, and disclose PHI?

Submit

Activity: Options

[1] The minimum degree necessary required for payment and healthcare operations.

[2] To the minimum degree necessary to ensure a profit for our organization.

[3] Generally, if you can access PHI, you can use it.

[4] All of the above.

Activity: Result

Try Again

That’s not correct!

That’s partially correct!

That’s correct!

Please review your answer choice(s) and click the Try Again button above.

Activity: Feedback

The minimum necessary standard requires that PHI accessed, used, or disclosed is limited to the minimum amount necessary for the intended purpose, with the exception of treatment.

Click the forward arrow to continue.

Activity: Question

When you comply with HIPAA, what are you ensuring?

Check all that apply and click the Submit button below.

Submit

Activity: Options

[1] Abbott will verify the identity of an authorized recipient before disclosing PHI.

[2] Individuals have legal rights regarding who can access their PHI.

[3] Abbott has the final say in who can access our patients and customer’s PHI.

Activity: Result

Try Again

That’s not correct!

That’s partially correct!

That’s correct!

Please review your answer choice(s) and click the Try Again button above.

Activity: Feedback

When you comply with HIPAA, you support an individual’s right to determine who can access their PHI and ensure that PHI is only provided to authorized recipients.

Click the forward arrow to continue.

Summary

You have completed the Use and Disclosure section of this course. Before you proceed, here are a few key points to remember.

• We are only able to use and disclose PHI under a very specific set of circumstances.
• Prior to disclosing any PHI, it’s important that you verify the identity and authority of the person making the request.
• The minimum necessary standard must be applied when using and disclosing PHI, unless the use or disclosure is needed to support an individual’s treatment.

Just as there are rules for how we can use and disclose PHI, there are rules for how to secure (or protect) PHI.

Activity: Pop Up

As a guide for protecting PHI, we apply the HIPAA ‘Security Rule’, which defines three specific safeguards that all employees, regardless of one’s role, are required to follow.

CLICK EACH OF THE PANELS TO LEARN HOW EACH SAFEGUARD APPLIES AND KEY RESOURCES TO LEARN MORE.

Activity: Pop Up

Physical Safeguards

Physical safeguards refer to the steps we take to protect unauthorized access to our facilities, equipment, and resources that contain PHI.

Activity: Pop Up

Technical Safeguards

Technical safeguards are primarily the automated processes used to protect data and control access to data. They include using strong authentication controls and encryption.

Activity: Pop Up

Administrative Safeguards

Administrative safeguards describe the policies and procedures that are needed to document our ability to ensure the confidentiality, integrity, and availability of PHI. This training is one of the administrative safeguards that Abbott’s implements.

Refer to our Privacy and Information Security policies on Abbott World to learn more about the physical, technical, and administrative safeguards at Abbott.

While we recognize the importance of safeguarding PHI from unauthorized sources outside of our organization, it is inside our organization where we have the greatest impact.

Activity: Panels

You can take action by following our current policies and controls and by understanding some of the more common ways PHI might be inappropriately used or disclosed.

CLICK EACH OF THE PANELS TO LEARN ABOUT THE RISKS ASSOCIATED WITH SPECIFIC ACTIVITIES AND HOW THEY CAN LEAD TO HIPAA PRIVACY VIOLATIONS.

Activity: Panels

Not logging off your computer.

You’ve probably noticed a coworker who, at some point, has left their computer unlocked and unattended.

Not signing off a computer that contains PHI leaves the computer vulnerable to unauthorized access. When working with PHI, and other sensitive information remember to log off or lock your computer before leaving your workstation.

Activity: Panels

Sending unencrypted emails.

Sending PHI to an outside party in an unencrypted email provides an opportunity for the data to be accessed by individuals that the message was not intended.

For this reason, before you send an email that contains PHI, you’ll want to encrypt the data by typing “[Secure]” (including the square brackets)in the subject line.

Activity: Panels

Sending a fax to a wrong number.

Faxing a document that contains PHI to a wrong number could potentially cause damage to Abbott’s reputation, a loss of trust from our customers, or, worst of all, harm to the patients we support. In this day and age, medical data can be used for a multitude of criminal activities such as extortion, blackmail, and fraud.

Activity: Panels

Using unencrypted storage devices.

Information is at risk of falling into the wrong hands if a storage device is lost. Though convenient, small electronic storage devices, such as USBs, can be readily accessed by individuals with very limited technical know-how. Therefore, it’s important that we only use encrypted storage devices when handling PHI.

Activity: Panels

Providing a Patient ID Card in error.

Without question, we take patient privacy very seriously. Patients that receive an Abbott implanted device are provided a Patient ID Card. This card contains information unique to the patient and their device. It is used by health care providers to assist with ongoing treatment. If a patient is provided an ID Card with a different patient’s information, there is a potential impact on the patient’s privacy and should be communicated to Global Privacy.

HIPAA Security Safeguards are only effective if the steps you take every day to protect PHI are regularly followed and under a variety of circumstances.

This includes reporting any concerns you have to Global Privacy.

Abbott has a legal responsibility to investigate all privacy and security incidents related to PHI and to notify affected individuals as soon as possible.

If there is ever a misuse of PHI, such as disclosing information to an unauthorized individual, sending an unencrypted email with patient data, or improperly disposing of such sensitive information, report the incident as soon as possible.

If you have any concerns about a potential violation or questions regarding the reporting process, contact OEC or a member of the Global Privacy team.

Activity: Question

As you scan your badge to enter a restricted area, a coworker approaches you and asks you to hold the door. Should you let them follow you in?

Submit

Activity: Options

[1] Yes, as long as you’re sure she works at Abbott.

[2] Yes, as long as she says she’s authorized to work in that area.

[3] Yes, as long as she has an employee badge.

[4] No, all employees need to scan their badges to enter a restricted area.

Activity: Result

Try Again

That’s not correct!

That’s partially correct!

That’s correct!

Please review your answer choice(s) and click the Try Again button above.

Activity: Feedback

Regardless of the individual, or their level of authority, Abbott requires all employees use their badge when entering a restricted area.

Click the forward arrow to continue.

Activity: Question

You receive a call regarding a privacy concern. What should you do?

Submit

Activity: Options

[1] Try to resolve the situation.

[2] Direct the concern to a member of the Global Privacy Team.

[3] Determine if it’s a valid concern and then report it to the appropriate department.

[4] Nothing. Privacy concerns are a normal part of our business.

Activity: Result

Try Again

That’s not correct!

That’s partially correct!

That’s correct!

Please review your answer choice(s) and click the Try Again button above.

Activity: Feedback

If a privacy concern is received, you should direct the concern to OEC or a member of the Global Privacy team as soon as possible.

Click the forward arrow to continue.

Activity: Question

Which of the following are examples of HIPAA privacy violations?

Check all that apply and click the Submit button below.

Submit

Activity: Options

[1] Providing a Health Care Provider with patient information for treatment purposes.

[2] Sending a fax with PHI to an incorrect fax number.

[3] Discussing patient information with a friend at lunch.

[4] Sending PHI via encrypted email to an authorized recipient.

Activity: Result

Try Again

That’s not correct!

That’s partially correct!

That’s correct!

Please review your answer choice(s) and click the Try Again button above.

Activity: Feedback

Information may be securely disclosed to Health Care Providers providing treatment and to authorized recipients. It’s not okay to discuss Protected Health Information with an unauthorized recipient. Always verify the recipient of PHI before disclosing any information.

Click the forward arrow to continue.

Summary

You have completed the Securing PHI and Incident Reporting section of this course. Before you proceed, here are a few key points to remember.

• By following Abbott’s HIPAA compliant policies and procedures, you help Abbott comply with HIPAA’s Privacy and Security Rules.
• An unauthorized acquisition, access, use, or disclosure of PHI may be a violation of HIPAA.
• To comply with HIPAA, Abbott has a responsibility to investigate all privacy and security incidents related to PHI.
• Any possible privacy incidents should be communicated to OEC or a member of the Global Privacy team as soon as possible.

Contacts

If you have questions about how HIPAA impacts your business, your role, or you would like to learn more about best practices, please reference the following list for Privacy contacts specific to your business:

Cardiovascular

Diabetes Care

Established Pharmaceuticals

Neuromodulation

Nutrition

Rapid Diagnostics

Corporate

Additional information can be found on the Global Privacy page.

Reference

Course Transcript

Click here for a full transcript of the course.