LDES App Cyber Security Training Program
To be compliant with your LDES App User Contract you must complete this program:
- Within 30 days of LDES App registration
- Within 30 days following your annual renewal
- Within 30 days of a LDES security or HIPAA program update
Please review the LDES HIPAA Privacy Training Policy prior to taking the training quiz:
Government Educational Resources:
Note: LDES can provide a "Document for Completion of the LDES HIPAA Training Program ". The purpose of this online training program is for training documentation, not certification of HIPAA complliance since the Health and Human Services (HHS.gov) does not endorse any HIPAA certification program nor does it certify any individual. Upon completion of this online program you may request a spreadsheet demonstrating completion of the LDES App Cyber Security Training Program .
Breach – an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart # is presumed to be a breach unless the covered entity or business associated, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the PHI involved
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The Extent to which the risk to the PHI has been mitigated
Business Associate – is a defined term within HIPAA that includes a person or organization – other than a member of a covered entity’s workforce – that performs certain functions or activities on behalf of, or provides services to a covered entity that involve the use or disclosure of individually identifiable health information.
Covered Entity – is a defined term within the Health Insurance Portability and Accountability Act (HIPAA) and includes health care providers, health plans, and health care clearinghouses.
Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:
- Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
- Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Information Security Officer – A qualified individual appointed by management to manage and supervise the use of security measures to protect data and the conduct of personnel in relation to the protection of data.
Protected Health Information (PHI or ePHI) – Individually Identifiable Health Information that is transmitted by electronic media ePHI; maintained in any medium described in the definition of electronic media; or transmitted or maintained in any other form or medium.
Violation – An infraction of a security policy, procedure or safeguard that may or may not result in damage to the facility or exposure to liability.
Workforce – Employees (including but not limited to: biweekly staff, monthly payroll staff), independent contractors, residents, interns, per diems, Senior Medical Staff, Advanced Practice Clinicians, Allied Health Professionals, Fellows, volunteers, students, contracted staff and other persons whose conduct in the performance of work for the facility, is under the direct control of such facility, whether or not they are paid by the facility.
State and Federal Health Privacy and Security Laws
Federal Health Privacy and Security Laws
The federal Health Insurance Portability and Accountability Act (HIPAA) requires providers of health care (including mental health care) to ensure the privacy of patient records and health information and requires the federal Department of Health and Human Services (HHS) to adopt implementing rules. HIPAA and its rules apply to health care providers, health plans and other entities that process health insurance claims and these are referred to as "HIPAA covered entities." The business associates of these covered entities that receive protected health information (PHI) must also comply with the HIPAA rules.
On March 26, 2013, HHS' Final Omnibus Rule adopted pursuant to HIPAA and related federal laws go into effect. This final rule includes the Privacy Rule, the Security Rule and the Breach Notification Rule.
The HIPAA Privacy Rule gives consumers rights over their health information and sets limits on who can look at and receive a consumer's protected health information (PHI). That Rule applies to all forms of PHI, whether oral, electronic or written.
The HIPAA Security Rule protects PHI that is in electronic form and requires entities covered by HIPAA to maintain reasonable safeguards to ensure that electronic PHI is secure.
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notice to affected consumers and to HHS in the event of a breach of unsecured PHI.
Learn more about HIPAA and its related rules.
HIPAA also provides that if a state law grants more privacy protection to a patient, the state law will apply.
Texas State Health Privacy and Security Laws
Effective September 1, 2012, the Texas Medical Records Privacy Act provides additional protections to consumers. The Act is broader in scope than HIPAA because it applies not only to health care providers, health plans and other entities that process health insurance claims but also to any individual, business, or organization that obtains, stores, or possesses PHI as well as their agents, employees and contractors if they create, receive, obtain, use or transmit PHI.
Under the Act, these individuals, businesses and organizations must comply with several requirements including mandatory training for employees regarding PHI. In most instances, the Act prohibits covered entities from using or disclosing PHI without first obtaining an individual's authorization.
Learn more about the Texas Medical Records Privacy Act.