It is mandatory that all employees, volunteers, and interns receive HIPAA Privacy and Security Awareness training, as well as annual refresher training.
Volunteers and Interns (students)
Volunteers must complete the training available on the Compliance website designated for volunteers and interns. Such training must be documented in the student/volunteer folder, and maintained by that division, bureau or clinic, in written or electronic form, for at least (6) years after the student/volunteer separates or longer if required by other applicable Department policies. Volunteers and interns can print proof of their training completion by logging into LCMS and clicking on "My Transcript." From there, they can print a document that will reflect their completed courses.
New employees must complete the most current HIPAA Privacey and Security Awareness training, complete the current year refresher training, and complete the appropriate electronic acknowledgment form.
Current employees must complete the current HIPAA Privacy and Security Awareness training, complete all refresher training, and complete the electronic acknowledgment form.
When must a new employee/volunteer/intern complete HIPAA Training?
New employees, interns and volunteers must complete the HIPAA Training in LCMS and complete the electronic acknowledgment form during their orientation period and prior to coming in contact with protected health information. Interns and volunteers may choose to complete the on-line HIPAA Training at home prior to their first day.
Where can I find the link to log-in to the HIPAA Training?
What is the e-HIPAA Log?
The e-HIPAA Log is used by appropriately designated ADPH staff to document disclosures of patient/client health information.
What are the types of disclosures that must be documented on the e-HIPAA Log?
The following disclosures of patient/client information must be documented in the e-HIPAA Log:
- Unauthorized releases of PHI. These unauthorized releases must also be documented in the Automated Report of Incidents and Accidents (ARIA) System;
- Authorized releases based upon subpoena or judicial process;
- Authorized releases to law enforcement, national security, emergencies, abuse investigatory agencies (like DHR), and research as documented in the progress notes in the patient file;
- Requests to limit releases of PHI;
- Requests to amend or correct PHI; and
- Requests for accounting of PHI.
I was not previously given access to the e-HIPAA Log link, but I think I need to document a disclosure. Who do I talk to?
First, speak with your Area Clerical Director to ensure that your intended report meets the requirements. If your Area Clerical Director agrees that you need access to the system to document the disclosure, have her/him send an email to Pamela Kendrick requesting access.
Where can I find training on how to use the e-HIPAA Log?
Training on how to appropriately use the e-HIPAA Log can be found at alabamapublichealth.gov/complianceeducation.
Does ADPH utilize e-mail encryption?
Yes, the Department currently utilizes Symantec e-mail encryption software. Our new encryption software does not affect e-mails being sent within Lotus Notes. Therefore, the vast majority of employees will not know that it is there. However, the encryption software will activate when the system finds protected health information being e-mailed outside of Lotus Notes.
Employees do not have to do anything to utilize this encryption software. The recipient of the e-mail will receive an automatic e-mail notifying them that they are being sent an e-mail containing protected health information and require them to register with our system. After registering, they will be able to receive e-mails from our employees by entering a password. This is very similar to encryption software used by Alabama Medicaid and many other providers. It is explained thoroughly in the 2018 HIPAA training and policy.
Shred Bin vs. Recycle Bin: Does it Really Matter?
Yes. HIPAA requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in any form. This means that the Department must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. Employees are not allowed to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. Therefore, paper-based PHI must only be disposed of by utilizing a shredding machine or by placing the documentation in a secured shred bin. PHI must NOT be placed in a recycle bin. The placement of PHI in a recycle bin, dumpster or trashcan will be considered a HIPAA violation.
Outside Auditors/ Government Investigator
An outside auditor/government investigator just showed up at my office requesting patient records. What do I do?
Individuals requesting PHI for the purpose of performing an audit or investigation must meet HIPAA requirements in order to access PHI held by the Department. If a non-Department staff member requests to view PHI to perform an audit or investigation, you should take the steps listed below:
1. Ask for a copy of their badge and business card.
2. Notify your supervisor who will contact the Office of General Counsel and provide them with a copy of the badge and business card.
3. If the request for PHI is approved, remember to log any disclosures in the e-HIPAA Log for any patient whose records are accessed.
*Do not provide external auditors or investigators access to your passwords or log-in information. If access to Department systems is necessary, the Security Officer must be notified and will work to develop a means of access to necessary systems.
I need to fax some records to another health care provider, but my co-worker says that there are faxing procedures that I must follow. Is that true?
Yes, ADPH has faxing procedures that can be found in the 2018 HIPAA Policy. Faxing of PHI is only permitted if the sender first calls the recipient and confirms that the recipient or his/her designee can be waiting at the fax machine, and then, the recipient or his/her designee waits at the fax machine to receive the fax and then calls the sender to confirm receipt of the document. Both the sender and the recipient must be attentive to the sensitive nature of PHI.
Oh, no! I just sent a fax to the wrong number in error. What do I do now?
Contact the Privacy Officer immediately at 334-206-9324. After conversing with the Privacy Officer, you may be advised to fax a notice to the incorrect fax number explaining that the information has been misdirected and ask for confirmation in writing that the information has been shredded or destroyed. Do not include any identifying information about the patient when you send this second fax.
Immediately document the incident by filing an ARIA report. Finally, verify the fax number with the correct recipient before attempting to fax the information again.
Can STD information be faxed?
Yes, as long as the fax procedures noted in the HIPAA policy are followed. You can fax STD information just as you would any other medical record. This is the case whether it is faxed between health departments, to and from central office, and to other health care entities with authority to receive the information. Exception: AIDS/HIV information cannot be faxed.
Business Associate Agreements
What is a Business Associate?
A "Business Associate" is a person or entity who creates, receives, maintains or transmits PHI for the Department.
Why do I need to consider having a Business Associate Agreement?
The HIPAA Rules require that covered entities and business associates enter into a Business Associate Agreement (BAA) to ensure that business associates will appropriately safeguard PHI. A business associate may use or disclose PHI only as permitted or required by its BAA or as required by law.
As of 2013, business associates are directly liable under the HIPAA Rules and subject to civil and criminal penalties for making uses and disclosures of PHI that are not authorized by agreement or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information (e-PHI) in accordance with the HIPAA Security Rules.
How do I know if I need to enter into a Business Associate Agreement?
ADPH utilizes a BAA Flowchart so that employees can more easily ascertain whether a BAA is necessary. A copy of the flowchart is attached to the 2018 HIPAA policy and can also be found on this website under "Forms". Training for BAA's can be found at alabamapublichealth.gov/complianceeducation.
Page last updated: April 26, 2019