HIPPA Study Guide

1135 Waiver Authority/Coronavirus Preparedness and Response Supplemental Appropriations Act

-Allows for telehealth services to be furnished to patients in all areas of the country, in all settings -Includes services provided in any healthcare setting or in the patient's home -Visits are considered the same as in-person visits and are paid at the same rate

· The Notice of Private Practices (Privacy Notice)

-Document healthcare providers and other covered entities must develop in order to inform patients about their rights surrounding the protection of their PHI and outline permissible use and disclosure -Must provide new patients a copy and obtain a patient's signed acknowledgement of receipt of the ________ -Must post in the office and on their website

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

-Federal law protecting health information -Governs the permissible uses and disclosures of health information that identifies the subject of the information -Covers only information created, received or maintained by or on behalf of health care providers and health plans

HIPAA for Professionals

-HIPAA Privacy -HIPAA Security -Breach Notification Rule (Omnibus)

2013 Omnibus Rule

-Hold business associates and covered entities more accountable -Prevent the unauthorized sale of PHI -Restrict the use and disclosure of PHI for marketing and fundraising -Provide individuals with the authority to obtain electronic copies of their health records and decline to disclose information related to a treatment paid for out-of-pocket -Mandate that covered entities update and redistribute their notices of privacy practices -Change certain requirements related to the disclosure of health information with the intent to facilitate research and the disclosure of childhood immunization records -Allow family members to access the health records of their decedents -Enforce penalties for noncompliance that arise from willful neglect -Prohibit health plans from using or disclosing genetic information or underwriting -Amend the civil monetary penalties

Business Associate

-Not a member of the practice's workforce who uses or discloses PHI to carry out certain functions or activities on behalf of the medical practice or other covered entity -Claims processing -Data analysis -Utilization review -Billing

Telemedicine Tips

-Notify patients that these third-party applications potentially introduce privacy risks -Enable all available encryption and privacy modes when using such applications -Patient must initiate the service and give consent to be treated virtually and the consent must be documented in the medical record

HIPPA & Ethics: Beneficence

-Obligation of healthcare providers and other professionals to always make sure their patients' well-being is their highest concern -The patient is always put first

Forms of PHI

-Patient name -Addresses -Dates - birth, admittance, discharge, death -Phone and fax -Email -SSN -Medical record numbers -Account numbers -Health plan beneficiaries -DL information -Vehicle information -IP addresses/URLs -Biometric identifiers -Full face photo -Certificate/license number -Medical device identifier -Test results

2009 (HITECH) Health Information Technology for Economic and Clinical Health Act

-Promote widespread adoption and interoperability of health information technology (Pozgar, 2016) -Encouraged healthcare providers to adopt electronic health records and improved privacy and security protections for healthcare data -Four categories of violations (HHS, 2017) 1. No Knowledge 2.Reasonable Cause 3.Willful Neglect-Corrected 4.Willful Neglect-Not Corrected -Four tiers of penalty 1. $100-$50,000 2. $1,000-$50,000 3. $10,000-$50,000 4. $50,000-$50,000 Annual Limit: $1,500,000

Security Risk Analysis

-Protect against reasonably anticipated threats or hazard to the security or integrity of such information -Protect against any reasonably anticipated uses/disclosures of such information that are not permitted or required by the Privacy Rule -Ensure workforce compliance

TPO: Treatment

-Provision, coordination, or management of health care -Consultation between health care providers -Referral of a patient from one health care provider to another

Permitted Disclosures (without patient consent)

-Required by law -Public health activities -Victims of abuse, neglect -Health oversight activities -Law enforcement purposes -Decedents -Cadaveric organ, eye, tissue donation -Research -Serious threat to health or safety -Essential government functions -Worker's compensation

TPO: Payment

Activities conducted by the practice to obtain reimbursement for services, obtaining premiums, providing benefits or determining coverage/eligibility

TPO: Health Care Operations

Activities related to your practice's business; clinical management and administrative duties

Types of Security Risk Analysis

Administrative Safeguards: -Policies and procedures Physical Safeguards: -Unauthorized access to facility, workstation Technical Safeguards: -IT, configurations, firewall, VPN, encryption

Covered Entity

Applies to providers (doctors), health plans (insurers), and health care clearing houses and their contractors (public or private entities)

Phishing

Cybercrime in which a fraudulent attempt is made to obtain sensitive information such as: -Usernames -Passwords -ePHI -Other personal identification information

HIPPA: Integrity

Data or information has not been altered or destroyed in an unauthorized manner

HIPPA: Availability

Data or information is accessible and useable upon demand by authorized person

HIPPA: Confidentiality

Data or information is not made available or disclosed to unauthorized persons or processes

HIPAA Violation Penalty Tiers from the HITECH Act of 2009

First Tier: -No knowledge Second Tier: -"knew or by exercising reasonable diligence would have known" of the violation, though they did not act with willful neglect Third Tier: -"acted with willful neglect" and corrected the problem within a 30-day time frame Fourth Tier: -"acted with willful neglect" and failed to make a timely correction

Ransomware

Form of malware or malicious software that blocks access to a computer system or data until the organization pays a fee or ransom to the attacker

Privacy

Gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections

21st Century Cures Act (2016)

Goal is to promote transparency and provide visibility into services, quality, and costs of healthcare

Centers for Medicare and Medicaid Services (CMS) broadened access to mitigate travel and access to physicians and physician practices

How were HIPAA guidelines expanded during the COVID-19 pandemic?

HIPPA: Employee Responsibilities (OT)

Identify and secure your physical workspace: -Make sure your internet connection is secure -Lock up documents and devices -Shred documents no longer needed -Adopt a clean desk policy Keep your work and personal life separate: -Don't use work devices as personal devices -Don't let anyone use your device Watch out for common threads: -E-mail phishing -Ransomware

HIPAA: Employer Responsibilities

Identify the need and extent of access to remote workers: -Who needs to be working remotely? -What data is being accessed? -How is data being accessed? Define acceptable policies for the identified resources: -Create policies regarding passwords, anti-malware, patching, encryption, and physical security -Create restrictions regarding data storage and device synchronizationo Configure controls to support your policies for securing applications and data that can be accessed: -Install anti-malware on all devices -Apply patches and updates to operating systems and applications -Enforce password-protected screen savers and inactivity timeouts -Configure encryption to protect any data stored locally on the device -Enable ability to remotely wipe a lost or stolen device Train your staff

T- Treatment P- Payment O- Health Care Operations

In regards to PHI, what does TPO stand for?

HIPPA & Ethics: Justice

Making sure that all patients have equal access to the treatments they need to heal

HIPAA: Information Blocking

Practice by health IT developer, health information network (HIN), health information exchange (HIE), or health care provider that, except as required by law or specified by the Secretary of the HHS as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI)

Disclosures of a PHI

Release, transfer, giving access to or divulging PHI in any other manner to anyone outside of the practice

Security

Safeguards that covered entities and their business associates must implement to protect ePHI

PHI: Uses

Sharing, employment, application, utilization, examination, or analysis of this within the practice

PHI: Minimum Necessary

Standard requiring covered entities to limit the amount of PHI that is used or disclosed to the "_________" to accomplish the intended purpose, unless the disclosure is to the patient, the Secretary of the Department of Health and Human Services, or to another provider for treatment purposes

HIPPA & Ethics: Non-Maleficence

The duty of practitioners to not cause harm to patients

HIPPA & Ethics: Autonomy

The right of the individuals to make their own choices regarding healthcare

1. Failure to conduct a Security Risk Analysis 2. Failure to implement adequate security 3. Failure to record and examine activity in information systems 4. Failure to create logs, access reports, no information systems reviews 5. Failure to sign business associate agreements

There are 6 penalties in total, but what are the 5 most enforced penalties in regards to HIPPA violations?

HIPPA: Breach

Unauthorized acquisition, access, use or disclosure of unsecured PHI is presumed to be a _______ unless it is demonstrated that there is a low probability that the PHI has been compromised

1. Autonomy 2. Non-Maleficence 3. Beneficence 4. Justice

What are the four ethical principles of HIPPA?

-Phishing -Ransomware

What are two types of HIPPA Security Risks?

Implements most of the privacy and security provisions of the (HITECH) Act and significantly extends the reach and limits of HIPPA

What does the 2013 Omnibus Rule do?

When transferring information you try to give the minimum necessary to whoever you are transferring the information to

What does the minimum necessary mean in regards to PHI?

-PHI stands for protected health information -This is any information that can be linked to a specific individual

What is a PHI?

Sets limits and conditions on the uses and disclosures that may be made of protected health information (PHI) without patient authorization

What is one way that HIPPA works to protect the patient?

Privacy- applies to all of the confidential forms done in a clinic or things of this nature Security- applies more to things done electronically

What is the difference between HIPAA privacy and HIPAA security?

-HHS requires notification of ALL breaches -Notification to affected patients within 60 days, first class mail -Breach of <500 individuals notify HHS annually -Breach of >500 individuals notify HHS Secretary within 60 days and "prominent media outlets"

When should you notify HHS of a breach? Should even small breaches be reported?

Authorization of PHI

Written permission to use or disclose the individual's PHI for purposes other than TPO