RBH Privacy & Security Training

HIPAA Overview

Start Here

Three Rules of HIPAA

Understanding PHI

Security Rule /Safe guard & Workforce

Breach Notifications

Important

This orientation, successful completion of the quiz, and signing the HIPAA Acknowledgement Form must be completed before seeing clients.

Real World Scenarios

Introduction

As a counselor in training, you should be aware of all laws and guidelines that govern confidentiality, privacy and security of client information. These include:

• Code of Federal Regulations
• HIPAA
• 42 CFR Part 2
• State Laws & Regulations
• Bulleted list
• Professional Code of Ethics
• Organizational Policies & Procedures

Introduction

Begin with this video, highlighting some of the most important HIPAA compliance basics.

Next

Next

Privacy Rule

Key Elements

The Privacy Rule sets national standards for how patient information is handled in any format—paper, electronic, or oral. It defines what information is protected, outlines when and how it can be shared, and empowers patients with rights over their own health information. The Privacy Rule is the ethical backbone of HIPAA, ensuring that trust, transparency, and respect guide every interaction involving sensitive health data. Understanding the Privacy Rule is essential for anyone working in healthcare. It’s not just about compliance—it’s about honoring the dignity and autonomy of every individual we serve.

Protected Health Information (PHI)

Covered Entities & Business Associates

Permitted Uses Without Disclosure

Patient Rights

Minimum Necessary Standard

Sharing Mental Health Information

Pop Quiz

Next

Understanding PHI

Next

What is ePHI ?

ePHI refers to any PHI that is created, stored, transmitted, or received electronically.

Examples include:

• Electronic Health Records (EHRs)

• Emails containing patient details

• Data stored in cloud-based systems

• Digital billing and insurance forms

Next

Security Rule /Safe guard & Workforce

Administrative Safeguards

• HIPAA Security Rule (2003) - sets national standards for protecting electronic protected health information (ePHI).

• Applies to covered entities such as, healthcare providers, health plans, clearinghouses, and business associates.

• The focus is on electronic data, unlike the Privacy Rule, which also includes oral and paper records.

Physical Safeguards

Technical Safeguards

HIPAA Computer Labs for Student Trainees

Exceptions to Confidentiality

Contacting Clients

Next

Contacting clients

Secure Handling of Devices

• Agency-issued, encrypted devices only personal phones/laptops are not allowed for PHI communication.

• Workforce must log out or lock screens immediately after communication.

• No PHI shall be discussed in public or shared spaces without privacy assurance.

Communication Audit & Accountability

• Communication logs must include date, method, and purpose of outreach.

• Improper contact attempts must be reported as a security incident.

• Workforce is responsible for immediately reporting lost devices or accidental disclosures.

Workforce Responsibility Before Contacting Clients

• Verify staff authorization level before initiating any client communication.

• Only trained personnel may access PHI for communication purposes.

• Staff must follow role-based access only communicate what relates to their assigned task.

Identity Verification Protocol

• Confirm client’s identity with two identifiers (e.g., DOB + last 4 digits or case number) before sharing any information.

• If identity cannot be confirmed → do not disclose PHI.

Next

Next

HIPAA Breach Notification Rule

Definition The Breach Notification Rule requires healthcare organizations and business associates to notify affected parties when unsecured PHI or ePHI is accessed, used, or disclosed without authorization.

Risk Assessment Process

What Constitutes a Breach

Who Must Be Notified

Documentation

Timeframe for Notification

HIPAA Breach Notification Rule Real-Life Scenarios

Lost Laptop

Wrong Email Sent

Cyberattack (Ransomware)

Definition: A HIPAA breach happens when protected health information (PHI) is accessed, used, or shared without authorization, causing a risk to the patient’s privacy or security.

Curious Access

Next

Remember TO TAKE QUIZ!

HIPAA Computer Labs for Student Trainees

• Ensure proper use of computers when accessing or entering ePHI
• Understand student responsibilities when handling PHI
• Access to HIPAA-secure computer labs only with student ID & login
• Session timeouts and automatic logoff settings
• Screen privacy filters and workstation orientation
• No saving PHI to USBs, cloud storage, or emailing to personal accounts
• Use approved software only
• Report technical issues immediately
• Close all programs and log out after us

PHI can be used or disclosed for treatment, payment, and healthcare operations without patient consent.

Why it’s a Breach: Accessing PHI without job-related purpose violates the minimum necessary rule.Correct Action: Only access records required for your role. Lesson: Curiosity is not a job duty unauthorized access is a HIPAA violation.

Staff opens a patient’s record just to see what happened.

Organizations must assess:

• Type of PHI involved (identifiers, sensitivity)
• Who accessed or received it
• Whether PHI was viewed or acquired
• Mitigation actions taken (e.g., retrieving info, secure deletion)

Tools and Resources

Did you know...90% of the information we assimilate comes through sight? Visual resources are very helpful to reinforce your message: images, illustrations, gifs, videos... Not only because they remain in memory, but also because they are more attractive and easier to understand.

• It is clear and structured
• Tells stories hierarchically.
• Matches your audience.
• Adapts fonts and color to the theme.
• Includes images and entertains.
• Represents data with graphics.
• Uses timelines.
• Is animated and interactive.
• Excites the brain through multimedia elements.
• Does not exceed with bullet points 🙃​.

Info

• Individuals affected by the breach
• HHS (Department of Health and Human Services)

• Media (if 500+ individuals in one state/region are affected)

Integrity Controls: Measures to ensure that ePHI is not improperly altered or destroyed. Transmission Security: Protecting ePHI when it’s transmitted electronically (email encryption and secure messaging platforms). Videotapes (for supervision or educational purposes):

• Secure cabinets or password-protected digital storage
• Destruction timeline and consent requirements for use

Access Control: Restricting ePHI access to authorized individuals using tools like unique user IDs and passwords. User Authentication: Verifying that a person accessing ePHI is who they claim to be (two-factor authentication, passwords, biometric scans). Audit Controls: Mechanisms to track and log system activity (who accessed what and when).

The Minimum Necessary Standard is part of the HIPAA Privacy Rule that refers to the sharing of private health information, also known as PHI. This portion of the law refers to only accessing or using PHI for appropriate business or medical purposes, to the least amount necessary.

Individuals have the right to access their records, request corrections, receive a Notice of Privacy Practices, and file complaints.

Assigned Security Responsibility:

• Appoint one person responsible for HIPAA security compliance.

Workforce Security:

• Ensure only authorized staff access ePHI; supervise and train workforce members.

Information Access Management:

• Use role-based access so each employee sees only what’s needed for their job.

Security Awareness & Training:

• Provide regular training, send security reminders, and teach how to respond to incidents.

Contingency Plan:

• Prepare for emergencies data backup, disaster recovery, and emergency mode operations.

Defination

Administrative Safeguards are policies and procedures that help manage the security of electronic protected health information (ePHI) through people, processes, and planning.Security Management Process:

• Risk Analysis – Identify risks and vulnerabilities to ePHI (e.g., hacking, theft, weak passwords).
• Risk Management – Take action to reduce risks (use firewalls, encryption, training).
• Sanction Policy – Set and enforce disciplinary actions for HIPAA violations.

Protected Health Information (PHI) is a person or patient's information related to:

PHI can be shared without a patient’s authorization for purposes of: Treatment, Payment & Healthcare Operations

See the 18 Identifiers for PHI

Remember, per the definition above, PHI is not limited to the 18 identifiers Geographic and Date Identifiers All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

Basic Concepts

• We are visual beings. We are capable of understanding images from millions of years ago, even from other cultures.
• Narrative beings. We tell thousands and thousands of stories. ⅔ of our conversations are stories.
• Social beings. We need to interact with each other. We learn collaboratively.
• Digital beings. We avoid becoming part of the content saturation in the digital world.
• Creative beings. Fun is needed for creativity, creativity for innovation, innovation for success... Fun is success.

• Explorer beings. We turn visual communication into an experience when we add interactivity, animation, and storytelling.

• Individuals: Within 60 days of discovering the breach.
• Business Associates: Must notify covered entities without delay.

Covered entities are (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information, generally concerning billing and payment for services or insurance coverage. A HIPAA business associate is any entity provided with access to PHI in order to perform regulated services for, or on behalf of, a covered entity.

Practical Examples

Your content is liked, but it only engages if it's interactive. Capture the attention of your audience with an interactive photograph or illustration.

With this function... You can add additional content that excites your audience: videos, images, links, interactivity... Whatever you want!

We are visual beings.We are capable of understanding images from millions of years ago, even from other cultures.

Narrative beings.We tell thousands and thousands of stories. ⅔ of our conversations are stories.

Did you know... The window allows you to add more extensive content. You can enrich your genially by incorporating PDFs, videos, text... The content of the window will appear when clicking on the interactive element.

Social beings.We need to interact with each other. We learn collaboratively.

Digital beings.We avoid being part of the content saturation in the digital world.

Professional Skills

Bring your creation elements to life with animation. It's impossible not to pay attention to moving content!

Write a great headline

Do you feel like your text is still missing something? Add animation to capture your audience.

Write a great headline

Write a great headline

Write a great text by clicking on Text in the left sidebar. Note: fonts, size, and color should suit the theme you are addressing.

Write a great headline

Disciplines like Visual Thinking facilitate visually rich note-taking thanks to the use of images, graphics, infographics, and simple drawings. Go for it!

• Keep records of the breach, investigation, and notifications.
• Must show compliance with HIPAA reporting requirements.

• Retain all documentation for at least 6 years.

A nurse accidentally sends a patient’s lab results to the wrong email address.

Why it’s a breach: PHI disclosed to the wrong person.Action: Notify the patient and document the incident. Lesson: Double-check email addresses before sending PHI.

Protected Health Information (PHI) refers to any information that can identify an individual and relates to their past, present, or future physical or mental health, treatment, or payment for healthcare services.

Why it’s a breach: Unauthorized access to ePHI.Action: Conduct a risk assessment and notify all affected parties. Lesson: Keep strong cybersecurity and data backup systems.

Hackers gain access to a clinic’s electronic health record system.

Privacy Rule

"Who can see or use the information?"

Ensures patients have control over their health data and how it is shared.

Facility Access Controls: Secure areas where systems are housed.Workstation Use & Security: Guidelines for where and how workstations are used.Device and Media Controls: Disposal, re-use, and movement of devices (USBs and laptops).Best Practices:

• Never leave screens with ePHI unattended
• Use screen protectors and locking devices
• Secure server rooms and restrict access
• Never leave files unattended
• Avoid storing PHI on personal devices
• Shred physical documents when no longer needed

A hospital employee loses a laptop containing unencrypted patient records.

Why it’s a breach: Unauthorized individuals could access PHI.Action: Notify affected patients, HHS, and possibly the media. Lesson: Always encrypt all devices storing PHI.

Write agreat headline

• We are visual beings. We are capable of understanding images from millions of years ago, even from other cultures.
• Narrative beings. We tell thousands and thousands of stories. ⅔ of our conversations are stories.
• Social beings. We need to interact with each other. We learn collaboratively.
• Digital beings. We avoid being part of the content saturation in the digital world.
• Creative beings. Fun is needed for creativity, creativity for innovation, innovation for success... Fun is success.

Guidelines for sharing PHI for mental health professionals

Security Rule

"How do we protect the information?"

Focuses on safeguarding electronic health information using passwords, encryption, and secure systems.

Breach Notification Rule

"What happens if information is leaked?"

Requires healthcare organizations to report any unauthorized access or data exposure to patients and authorities.

Danger to Self

• Recognize when a client may harm themselves.
• Follow reporting responsibilities and safety planning steps.

Danger to Others (Duty to Warn)

• Duty to Warn: Legal & ethical duty to break confidentiality if a client threatens serious harm to others.
• Assess credibility and specificity of threats.
• Notify law enforcement or potential victims.

Danger to a Public Place

• HIPAA allows disclosure to law enforcement for serious, credible threats.
• Credible Threat: Believable, realistic, and imminent risk of harm.Notify public safety, legal counsel, and supervisors.

Child Abuse or Neglect

• Abuse: Intentional harm (physical, emotional, sexual, or financial).
• Neglect: Failure to meet basic needs.
• Know abuse signs and state-specific reporting hotlines.
• Explain to client/family only what’s necessary.

Note: You need reasonable suspicion, not proof, to report.Elder or Dependent Adult Abuse

• Dependent Adult: Age 18–59 with physical/mental disability.
• Warning Signs: Fear, withdrawal, inconsistent stories, injuries, missing money, unpaid bills, financial changes.
• Mandated Reporting:
• Collect basic info (name, age, address, description, perpetrators).

• Any unauthorized access, use, or disclosure of PHI/ePHI.
• Includes lost devices, hacking, stolen records, or sending PHI to the wrong person.
• Exception: If the data was encrypted or there’s low probability of compromise.

Write a greatheadline

We are visual beings. We are able to understand images from millions of years ago, even from other cultures.

Social beings. We need to interact with each other. We learn collaboratively.

Digital beings. We avoid being part of the content saturation in the digital world.