Data Protection and Confidentiality Training Course

Data Protection and Patient Privacy (HIPAA) is a legal requirement for all employees at Outpatient Physical Therapy.  OPT must be able to demonstrate measures have been taken to ensure confidentiality and the safe handling of information. This is a legal duty on all employees and companies who collect and store any kind of information.

This online guide will help you to learn how to deal with confidentiality/HIPAA issues in the workplace.

Health Insurance Portability and Accountability Act (HIPAA)

Privacy for Beginners: What Every Healthcare Worker Needs to Know About HIPAA and Privacy

What is HIPAA?

  • Health Insurance Portability and Accountability Act (HIPAA) is broad federal legislation that includes rules to protect the privacy and confidentiality of patient information. 
  • Does not replace existing confidentiality laws 
  • Establishes a minimum requirement

Protected health information

HIPAA regulates the use and disclosure of what is known as protected health information or “PHI.” 

PHI is any information that can be used to identify the past, present, or future healthcare of an individual or the payment for that care.

This is virtually all information about a patient, whether written on paper, saved on a computer, or spoken aloud. This includes their:

  • Name 
  • Address 
  • Age 
  • Social Security number
  • Other personal information
  • License plate numbers
  • Fax machine numbers

Use of protected health information

  • In general, a healthcare provider can access and use PHI without specific patient authorization, if it is to be used for treatment, payment, or healthcare operations (TPO). 
  • Before looking at a patient’s health information, ask yourself, “Do I need to know this to do my job?
  • Minimum Necessary Standard -Always use or disclose only the Minimum amount of information necessary to honor the request 
  • If you are not sure whether you should disclose any form of PHI, ASK your supervisor, department compliance representative or the compliance officer 
  • Once the disclosure is made it’s too late to get it back.

What is protected health information

This is virtually all information about a patient, whether written on paper, saved on a computer, or spoken aloud. This includes their:

  • Name 
  • Address 
  • Age 
  • Social Security number 
  • Other personal information 
  • License plate numbers 
  • Fax machine numbers

HIPAA confidentiality

HIPAA privacy also protects the following: 

  • The reason the patient is sick or in the hospital 
  • The treatments and medication he or she receives 
  • Case notes 
  • Information about past health conditions

Other uses of protected health information

A healthcare provider can also disclose PHI without patient authorization for: 

  • Required by law 
  • Public Health Activities 
  • Law Enforcement 
  • Other national priorities -funeral directors, organ donation, research, prevent a disaster, special government functions, workers compensation

Use of electronic protected health information (ePHI)

Use of electronic protected health information (ePHI)

  • HIPAA security rules apply only to ePHI stored , maintained or transmitted in an electronic format 
  • ePHI is the same information as PHI; anything that could identify the patient, their medical condition or method of payment 
  • Security rules require additional compliance
  • Appropriately use computers and other technology. Employees cannot use their computers or access to review personal or family PHI. 
  • If you use a laptop or tablet it is your responsibility to: 
    • Obtain approval before transferring ePHI to a portable device 
  • It is your responsibility to protect ALL ePHI from theft both electronic and physical
  • Monitor the use of cellular phones –information and images (ePHI) can be sent over Internet. This ePHI in not encrypted 
  • It is not allowed to send ePHI over the email system. Use other identifiers such as case number.
  • Use E-mail and Internet access appropriately –workforce members should remember that e-mails sent to or from OPT computers are not considered private. OPT can and does audit e-mail and Internet usage


  • Password control. Sign-off application after you are finished. 
  • You are your password. Protect it. Never share it. 
  • If you believe your password has been compromised, change you password immediately. Tell the compliance officer listed at the end of this training that you feel your password may have been compromised.


Our patients have a right to expect we will keep their information confidential. This information includes anything that could identify or be used to find out the identity of the patient or their medical condition. 

As employees, volunteers and physicians, we come in contact with many forms of patient information, i.e. case notes, doctor referrals, patient census listings, etc. We need to understand what are acceptable uses of this information. 

Follow the “need to know” rule. Ask yourself “do I need to see patient information to perform my job”. If the answer is “Yes”, you have nothing to worry about. If the answer is “no”, STOP.

The lunch room, the elevator or any of the social media sites are not the place to discuss the medical condition or other aspects of a patient’s care. 

Information you have access to must not be the subject of conversation with family, friends or neighbors. 

Most disclosures of PHI do not need an authorization by the patient. PHI can be disclosed without an authorization for reasons of TPO and any of the 12 permitted uses under the Privacy Rules. Any other disclosure requires an authorization by the patient. 

The minimum necessary standard needs to be applied to all disclosures except for treatment purposes, disclosures to the patient or as required by law.


  • Ask the patient to repeat the social security number
  • Repeat the social security number I have written down


  • I can review patient information when it is on a need to know basis
  • I can give patient information to a relative who call in for an update
  • I have a better understanding of HIPAA and privacy laws because of this training!

Confidentiality Guide

Guidelines for Dealing with Confidential Information


1. Safeguard your username, password and any other access credentials you have for systems and applications that deal with confidential information.

2. Protect devices such as tablets and desktop computers that contain confidential information.

3. Never leave your computer unattended when confidential information is on the screen.

4. Before transmitting confidential information to others, be sure that:

  • The transmission complies with the law and privacy and security policies;
  • The recipient has a legitimate business purpose for the information;
  • You're sending no more information than is needed by the recipient; 
  • You're sending the information in a protected manner (e.g., encrypted) when called for by the company policies or the law.

5. Retain or destroy confidential information contained in your records in accordance with your record-management policy.

6. Report any security incidents or privacy breaches that you observe or become aware of as soon as possible.

Which one of the following shows respect for confidentiality of information?

  • Discussing confidential information over the telephone.
  • Disclosing confidential information only to authorized individuals.
  • Uploading confidential information to a shared web site.
  • Emailing confidential information to a colleague.

How should confidential information be sent using an unsecured network?

  • In an encrypted format.
  • In a compressed format.
  • In an attachment.

Mark the following statements as true or false.

  • Because you work in a secure building, you can discuss confidential information in an open work area.
  • The Information Security Policy and related policies only apply to electronic and hardcopy records and does not apply to verbal discussions.
  • You should always lock your computer when you are away from your desk.

How to Keep Your Password Safe

How can you keep your password secure?

  • Write it in your notebook.
  • Memorize it.
  • Tell a person who you know you can trust.

What is an example of a strong password?

  • 1234567890
  • G*rbea8$e
  • qwerty123
  • johndoe

Mark the following statements as true or false.

  • Your password should be changed regularly.
  • Whenever possible avoid using password managers.
  • It is OK to share your password with your colleagues.


Breaches of workplace confidentiality can result in a range of problems. Customers tend not to work with companies they think are untrustworthy, and consumers may specifically warn people away from companies that have mishandled private information.

This course has been produced so that employees are aware of the ways dealing with confidential information and keeping company data safe.