Confidentiality and HIPAA

Protected Health Information

Also known as PHI: This is the information that identifies an individual such as name, address, date of birth, and social security number. Patients must be told about their rights and be provided an opportunity to object to disclosure of PHI, per HIPAA's privacy rule guidelines.

HITECH

Also known as the Health Information Technology for Economic and Clinical Health Act: Enacted by part of the American Recovery and Reinvestment Action of 2009 (ARRA) and addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of HIPAA rules.

Privileged Communication

Any information communicated by a patient to a health care provider.

Security Rule

HIPAA standards and safeguards to protect health information that is collected, maintained, used or transmitted electronically. The safeguards must be implemented to ensure the facilities, equipment and patient information are safe from damage, loss, tampering, theft, or unauthorized access. These are the standards to protect confidentiality.

Accountability

Part of the HIPAA law: This aspect protects health data integrity, availability and confidentiality.

Privacy and Security of Health Information

Part of the law that is established and governed by HIPAA. Examples: HIPAA also protects health insurance coverage for workers and their families when they change or lose their jobs. HIPAA defines patient rights such as access to his/her medical information.

Tracking Disclosures of PHI

The HIPAA privacy rule requires tracking of the release of protected information. A tracking system should include the following: - Date of disclosure - Name and address of the person who received the PHI - Description of the PHI disclosure - Statement of reason for disclosure (or a copy of written request) Note: The Privacy rule limits employees' access only to the type of PHI needed to perform their jobs. For example, a respiratory therapist would not need access to the financial system to perform their duties.

Common Employee Best Practices

The following is a list of common employee best practices for complying with HIPAA: - Do not discuss or disclose any patient information with others, including family and friends, who do not have a need to know the information. - Only access patient information for which you have specific authorization to access in order to perform your job duties. - Keep computer passwords confidential. - Report any security breaches to your supervisor or Privacy Officer.

Authorization NOT Required

There are many situations where the use or disclosure of PHI does not require the individual's authorization in circumstances such as: - Preventing or controlling disease (outbreak in community) - Reporting child abuse or neglect - Reporting of the Food and Drug Administration - Reporting vital events such as births and deaths

Intentional or Noncompliance

This may occur intentionally or unintentionally. The following list provides examples of noncompliance with HIPAA: - Leaving a sheet of paper containing PHI at the front desk which is visible to others - A computer screen that is unattended and logged in to PHI - Knowingly releasing PHI to unauthorized individuals - Selling PHI to marketing firms Note: There are penalties for HIPAA noncompliance that include fines and prison time.

Breach of Confidentiality

This occurs when patient information is disclosed to others who do not have a right to access the information.

Patient Rights

Under the HIPAA's laws, patients have several rights regarding their protected health information (PHI), such as: - Access their PHI - Request Amendment to their PHI - Accounting of Uses and Disclosures of their PHI - Request Further Restrictions on Uses and Disclosures

Privacy Rule

HIPAA standards for privacy of individuality identifiable health information it includes provisions that protect privileged communication.

Accidental Disclosure

An example of this is when health information if faxed or emailed to the wrong person.

ACA

Also known as the Patient Protection and Affordable Care Act of 2010: This law builds upon HIPAA with new and expanded provisions and requires a unique, standard Health Plan Identifier.

Covered Entity

An organization that routinely handles protected health information. Types of these are: - Health Care Providers: doctors, clinics, psychologists, dentists, chiropractor, nursing homes, and pharmacies. - Health Plans: health insurance companies, HMOs, company health plans, government programs such as Medicare/Medicaid.

Healthcare Policies and Procedures

Healthcare facilities must develop policies and procedures to prevent, detect, contain, and correct security violations, such as: - Risk analysis: Assess potential risks - Risk management: Reduce risks - Sanction policy: Penalties for those who do not comply with security policies - Information system activity review: Audit logs, tracking, reports, monitoring

Safeguards

Measures that can be done to protect patient information. These measures can include policies to change passwords, data backup processes, login monitoring and disaster recovery plan.

Authorization of PHI

Patients authorize the use or disclosure of information when they provide written permission to providers so that PHI may be released.