HIPPA

What does HIPAA mean?

Health Insurance Portability and Accountability Act

access controls

controls to ensure that access to sensitive information is available on a need-to-know basis, based on user responsibility

person or entity authentication

controls to ensure that data is sent to the intended receipient and received by the intended party. includes password protections, PIN numbers, and encryptions

data authentication

controls to help ensure that health data has not been altered in an unauthorized manner

audit controls

controls to record and examine system activity, helping to eliminate unnecessary access to sensitive information

The HIPAA "Privacy Rule"

(2003) established standards for the protection and disclosure of patient health information, and specifically: -Defines identifiable protected health information (PHI), including patient identifiers like a person's name, birthdate, picture, medical diagnoses, address, social security number, etc. -Stipulates how this information may be used, by whom, and under what circumstances. -There are 18 patient identifiers that must be protected. -Be aware that health information by itself without the identifiers is not considered to be protected health information (PHI). -For example, a set of vital signs by itself is not protected. However, when the vital signs are accompanied by a name or medical record number, then it must be protected.

Privacy Rule requires:

- A privacy officer -training -business associates -tracking -violations

security rule requirements include:

- security officer -risk analysis -risk management -sanction policy -information system activity review -employee security -business associate agreements -contingency plan -security incident procedures -physical safe guards

Patient authorization for disclosure is not needed in situations where:

-Laws require reporting of abuse, neglect, or domestic violence EX: child abuse -Disclosure of information is needed to facilitate organ donation EX: kidney donation -Laws require reporting of information for preventing or controlling illnesses, communicable diseases, injury, or disability EX: HIV, STDs -Disclosure may lessen a serious threat to a person or the public EX: Workplace violence

the security rule requires certain technical safeguards for PHI, including:

-access controls -audit controls -data authentication -person or entity authentication -transmission security

physical safeguards include the following:

-facility access controls -guidelines on workstation use and security -media controls

Entities covered by the Privacy and Security Rules include:

-healthcare plans -healthcare providers -healthcare clearinghouses -business associates of covered entities such as auditors, lawyers, etc.

once acknowledgment of NPP has been made, entity may:

-use PHI for its own treatment, payment or healthcare operations -disclose PHI to other covered entities for their treatment, payment or certain limited healthcare operations

the Notice of Privacy Practices must inform patients of:

1.) the uses and disclosures of PHI that the entity may make 2.) the patient's right to access and amend their medical information 3.) the covered entity's responsibilities with respect to PHI

the primary purposes of HIPAA are:

1.) to protect people from losing their health insurance if they change jobs or have pre-existing health conditions 2.) to reduce the costs and administrative burdens of healthcare by creating standard electronic formats for many administrative transactions that are currently carried out on paper 3.) to develop standards and requirements to protect the privacy and security of personal health information

When did congress enact HIPAA?

August of 1996

T/F: HIPAA does not allow leaving messages for patients at their homes, on an answering machine, or with a family member

False. This can be done as long as the number or family member has been approved by the patient.

T/F: HIPAA prohibits displaying patient care signs like "fall risk" or diabetic diet" at the door of the hospital room or bedside

False.

T/F: HIPAA prohibits leaving patients' charts at the bedside or outside patients' rooms

False.

T/F: HIPAA prohibits discussions of a patient's condition over the phone with a doctor or family member

False. This can be done as long as it is to the patient or a family member that has been approved to receive information

2 separate regulations apart from HIPAA

Privacy Rule and Security Rule -created to ensure the highest degree of patient confidentiality when dealing with personal information

Health care providers are required to adhere to HIPAA regulations. Failure to do so can result in:

a reprimand, sanction, fine, or loss of licensure by the government or state board of nursing and/or loss of employment by the employer

media controls

a set of procedures that govern the receipt and removal of hardware and software, such as disks, memory sticks, laptops, and PDAs, as well as procedures for off-site data backup

What is HIPPA?

a set of rules for hospitals and health care providers to ensure that medical records, medical billing, and patient accounts meet certain consistent standards for handling, documentation, and privacy.

Notice of Privacy Practices (NPP)

a written statement that details the provider's privacy practices

business associates

administrative safeguard that requires business associates such as lawyers, consultants, auditors, billing companies etc to confirm they will protect PHI

business associate agreements

agreements with external recipients of PHI confirming that they will protect the confidentiality of data exchanged

sanction policy

applying appropriate sanctions against employees who fail to comply with HIPAA policies and procedures

Entities covered by the Privacy and Security Rules are protected and never disclosed unless:

authorization of individual in writing or as HIPAA permits and requires

facility access controls

develop a facility security plan that deters intruders from accessing environments where sensitive information resides

employee security

develop a plan for granting and limiting different levels of access to PHI, including clearance procedures and termination procedures

T/F: HIPAA prevents nurses and doctors from discussing a patient's condition or treatment in a semiprivate room with the curtain pulled

false, this can be done as long as it is for patient care purposes. it is good to be conscious of who may be on the other side and ask the patient if it is okay to discuss this information there.

information system activity review

implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports

risk management

implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with HIPAA requirements

violations

implementing rules for addressing violations of privacy, security, and transaction regulations including establishing a process for making complaints and preventing retaliation against anyone who reports a HIPAA violation

Security incident procedures

instructions for reporting and dealing with security breaches

healthcare represents or parents of minors are allowed to:

make healthcare decisions for patients and have same information access as the individual

When dealing with state laws regarding patient information, HIPAA...

outranks the state law UNLESS the state law is stricter

security officer

person responsible for the development, implementation and evaluations of security policies (may be same person as PO)

contingency plan

plan for responding to system emergencies, including the performance of backups, emergency-mode operations, and disaster-recovery procedures

guidelines on workstation use and security

procedures describing the proper functions to be performed on computers, and how to handle sensitive information that may be displayed on computer screens

when requesting PHI from another covered entity, the entity must:

request the minimum amount of PHI needed to accomplish what is needed

privacy officer

required administrative safeguard responsible for the development and implementation of privacy policies and the receiving of complaints

tracking

requirement of a system who can track who accessed what information

transmission security

sending PHI via email or fax. must use encryption to protect and appropriate authentication procedures

HIPAA Privacy Rule prohibits an entity from disclosing PHI to others without

signed authorization

failure to comply with HIPAA may result in

significant financial and civil penalties and fines up to 1.5 million dollars per year and 10 yrs of imprisonment

risk analysis

technical evaluation and implementation of procedures to ensure that computers are secure from intrusion

training

training of all workforce members on privacy policies and procedures, as necessary and appropriate for them to carry out their job functions

T/F: a health-related newsletter that a covered entity distributes to patients to inform them about new healthcare developments would not be considered marketing under the privacy rule and therefore allowed.

true

T/F: The privacy rule allows "incidental" disclosures of PHI as long as the covered entity uses reasonable safeguards and adheres to the "minimum necessary" standard

true, for example doctors offices may use sign in waiting sheets, and charts may be kept at bed sides, nurses may converse at nurses station