HIPAA Privacy and Security Rules

Authors: Debbie Sabatino, Julia Clendenin, BS, and Paul Fekete, MD FCAP
Reviewers: Laurie Bjerklie, MA, MLS(ASCP)CM and Stephanie Mihane, MLS(ASCP)CM
See all available Compliance & CE courses »

Continuing Education Credits

P.A.C.E.® Contact Hours: 2 hour(s)

Florida Board of Clinical Laboratory Science CE Credit Hours

Florida Board of Clinical Laboratory Science CE - Supervision/Administration, Quality Control/Quality Assurance, and Safety: 1.5 hour(s)

(based on 7657 customer ratings)

This course, using examples specific to the clinical laboratory, covers the HIPAA privacy regulations and treatment of protected health information (PHI) in a succinct manner. Content is directed at laboratory staff, from desk personnel to phlebotomists to medical technologists. Includes numerous interactive case studies. Appropriate for annual HIPAA training for laboratory staff. Key areas covered include technical and physical safeguards, minimum necessary standard, administrative requirements, and authorization.

Objectives

  • Define HIPAA.
  • Define "covered entities" and "business associates" and list which individuals, groups, or organizations are included in each category.
  • Explain what is meant by protected health information, who is authorized to view this information, and what safeguards are in place to prevent unauthorized access.
  • Apply HIPAA privacy and security requirements to your daily clinical responsibilities.

Course Outline

  • Overview of HIPAA
    • What is HIPAA?
    • What Information is Protected?
    • Covered Entities
    • Business Associates
    • All of the following are considered protected health information except for:
    • Which of the following individuals, organizations, or agencies are covered by HIPAA?
    • All of the following are examples of HIPAA-regulated business associates except for:
    • HIPAA Rules and Acts
  • HIPAA Privacy Rule
    • Privacy Rule Introduction
      • What is the HIPAA Privacy Rule?
      • HIPAA Privacy Rule
      • Administrative Requirements
    • Patients' Rights
      • Patients' Rights Under HIPAA
      • Notice of Privacy Practices
      • Case Study: Accessing PHI You are answering the office phone. A person claiming to be a patient whose voice you do not recognize calls demanding all his test results for the past 6 months. He threatens to complain to the government if you won't immediately read him the results over the phone.True or False: Under the HIPAA Privacy Regulations, you must immediately give the patient the requested in
    • Privacy Rule Safeguards
      • Privacy Rule Safeguards
      • Physical Safeguards
      • Administrative Safeguards
      • Technical Safeguards
      • Case Study: Incidental Disclosures and Safeguards As a manager, you guided a group of students through your clinical laboratory. You did not explain the laboratory's privacy policy to the teacher and students because you thought they would have little access to PHI. However, during the tour, the students overheard names of patients and associated blood tests, saw laboratory reports lying on desks,
    • Use and Disclosure of PHI
      • Patient Authorization
      • Limiting Use and Disclosure of PHI
      • Case Study: AuthorizationYou are working in a physician's office. The doctor orders laboratory and other diagnostic tests on a patient with suspected Alzheimer's disease. The doctor then asks you to give the patient's name and contact information to the local Alzheimer's support group without getting permission from the patient or the patient's legal guardian.Does the doctor need authorization fro
      • Case Study: Limiting Use and Disclosure of PHI You are a customer service representative in a clinical laboratory. A nurse at one of your outreach clinic offices calls to request that you fax test results on a patient. The physician is currently seeing the patient and needs the test results immediately. True or False: Under the HIPAA Privacy Regulations, you can comply with this request without ge
      • Minimum Necessary Use and Disclosure
      • Case Study: Minimum Necessary Use and Disclosure You are a ward clerk responsible for inserting laboratory reports into a patient's medical records. You open their medical record directly to the laboratory tab and insert the report.True or False: Flipping through and reading other sections of the medical record that do not apply to your job responsibilities would violate the HIPAA Privacy Rule.
      • Case Study: Minimum Necessary Use and Disclosure You are a phlebotomist at a specimen collection center. A patient arrives with orders for a blood glucose test and a lipid profile. You get the patient's address, phone number, health insurance coverage, and when he ate his most recent meal. You then ask him about his recent car accident, his wound infection, and his family. You write down all the
      • De-Identified Health Information
      • Case Study: De-identified Health InformationYou work in a laboratory microbiology department that provides a local nursing home with information about the effectiveness of various antibiotics it uses to treat infections. You print the requested information, including patient first and last names, birthdates, and medical record numbers. You also print the bacterial organisms identified and the orga
    • HIPAA Security Rule
      • Security Rule Introduction
        • What is the HIPAA Security Rule?
        • Security Officer Requirement
      • Security Rule Safeguards
        • Security Rule Safeguards
        • Physical Safeguards
        • Case Study: Physical SafeguardsYou are a health clinic supervisor. During a new employee's orientation, you instruct him to keep the door leading from a patient area to a computer work area locked at all times. On several occasions, he forgets to ensure the door is locked as he leaves. Which of the following is true regarding this situation?
        • Administrative Safeguards
        • Case Study: Administrative Safeguards You are the scientist in charge of the hematology department in a hospital laboratory. The laboratory manager and the pathologist who oversee the laboratory's Quality Management Program have asked you to review blood count results for 100 patients as part of an internal quality assurance project. You review only the clinical findings in the electronic medical
        • Technical Safeguards: System Access Control
        • Technical Safeguards: Passwords
        • Technical Safeguards: Protection Against Viruses and Malicious Software
        • Technical Safeguards: Email Security
        • Technical Safeguards: Summary
        • Case Study: Technical SafeguardsYou have several sets of logins and passwords to access various information systems. The login is your own first initial and last name, but you have difficulty remembering the passwords, so you write them down on a sticky note that you keep on your desk. This is not a good idea because:
      • HITECH Act
        • What is the HITECH Act?
        • Filing a HIPAA Violation
        • HIPAA Violation Penalties
        • Increased Business Associate Liability
        • HIPAA Breach Notification Rule
      • Omnibus Rule
        • What is the Omnibus Rule?
        • Stronger Patients' Rights
        • Privacy and Security Rule Modifications
        • HITECH Act Enforcements and Modifications
        • The Omnibus Rule created which of the following modifications?
      • Special Topics
        • HIPAA Discretions as a Result of COVID-19
        • HIPAA Privacy Rule to Support Reproductive Health Care Privacy
      • Conclusion
        • Follow your Facilities' Policies and Procedures
      • References
        • References

Additional Information

Intended Audience: All healthcare personnel
Level of Instruction: Basic 
Authors' Information:
Debbie Sabatino has over 20 years of progressive technical, operational, business development, and risk management experience in healthcare. Currently, she is the Senior Manager, Enterprise Risk at McMaster University. Previously, she was Director, Privacy for MDS Laboratory Services, which includes Canadian and US Operations. As a privacy expert for the organization, Ms. Sabatino is responsible for developing, implementing, and ensuring the ongoing success of the Laboratory Services privacy program and the company’s global privacy approach. Debbie is a member of the International Association of Privacy Officers (IAPO) and the Conference Board of Canada Chief Privacy Officers Council.
Julia Clendenin is a content and graphics developer for MediaLab. She graduated from Georgia Institute of Technology with a B.S. in Biochemistry and a B.S. in Literature, Media, and Communication. 
Paul Fekete, MD, is the founder of MediaLab. He was formerly an Assistant Professor of Pathology at Emory University and the Director of Laboratories for Gwinnett Health System near Atlanta. Dr. Fekete has extensive experience teaching and is the author of numerous journal articles and several book chapters. He additionally has extensive experience in instructional design.
Reviewer Information
Laurie Bjerklie, MA, MLS(ASCP)CM, is an Education Developer for MediaLab and LabCE. She earned a B.S. in Medical Laboratory Science from the University of North Dakota and an M.A. in Curriculum and Instruction from Saint Xavier University. She has over 15 years of experience in higher education and has held program director and faculty positions in both MLT and MLS programs.
Stephanie Mihane, MLS(ASCP)CM, is a retired laboratory professional with over 35 years of experience as a generalist.  She also worked as the Point-of-Care Coordinator for 15 years at Kaiser Permanente-Colorado Region.  Stephanie also served on Region VIII's ASCLS Board of Directors from 2019 until 2022.