Health Insurance Portability and Accountability Act (HIPAA)
HIPAA for Professionals
- -HHS Privacy Rule: Set of National standards for the protection of individually identifiable information. -HHS Security Rule: National standards protecting confidentiality, integrity, and availability of electronic protected information. -Enforcement rule: National standards for the enforcement of all administrative simplification rules. -https://www.hhs.gov/hipaa
HIPAA Patient Safety: 42 CFR Pt. 3
-Patient Safety and Quality Improvement Act of 2005 (PSQIA) Location 42 CFR pt.3 -PSQIA, used to encourage reporting/analysis of medical errors. Establishes voluntary reporting system to improve efficacy of data available to assess/resolve patient safety/health care quality issues. -Patient safety work product: provides Federal privilege/confidentiality protections for patient safety information. Includes information collected/created during reporting/analysis of safety events. -Utilized to improve patient safety outcomes by encouraging reporting without fear of increased liability. -Outcome: Increased reporting frequency yields more successful patient safety. -PSQIA 2005 Statute/Rule: https://www.hhs.gov/hipaa/for-professionals/patient-safety/statute-and-rule/index.html -https://www.hhs.gov/hipaa
HIPAA Privacy: 45 CFR, Pt. 160
-Privacy Rule Location: 45 CFR Part 160 and Subparts A and E of Part 164. -National standards to protect individuals' medical records and other personal health information. Strengthens -Applications: Health Plans, Health Care Clearninghouses and Health Care providers that conduct certain electronic health care transactions. -Sets limits of uses and disclosures that may be made without patient authorization. -Patients Rights: over their health information, rights to examine and obtain a copy of their health records, and allows correction requests. -https://www.hhs.gov/hipaa
HIPAA Security: 45 CFR 160 and 164 A/c
-Security Rule Location: 45 CFR Part 160 and Subparts A and C of Part 164. -National standards to protect individuals' electronic personal health information: created, received, used or maintained by a covered entity. -Requires: administrative, physical and technical safeguards. -Purpose: Ensure confidentiality, integrity and security of electronic protected health information. -https://www.hhs.gov/hipaa
HIPAA Compliance & Enforcement
-HHS's Office for Civil Rights (HHS OCR) is responsible for Privacy and Security Rule enforcement. -HIPAA covered entities are required to comply with the Security Rule. OCR is responsible for enforcing the Security Rule. -Enforcement Process: Complaint Investigation, Conduction of compliance reviews, Execution of education and outreach to foster HIPAA Security rule requirement compliance. -HIPAA Privacy/Security Rule Compliant Process: https://www.hhs.gov/sites/default/files/complaintflow2.JPG -https://www.hhs.gov/hipaa
HIPAA Breach Notification
-HIPAA Breach Notification Rule Location: 45 CFR §§ 164.400-414. -Requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. -Definition of Breach: Generally impermissible use or disclosure under the Privacy rule. Considered breach unless covered entities demonstrate low probability the information has been compromised based on a 4 part risk assessment. 1) Type of protected health information involved: specific identifiers and the likelihood of re-identification. 2) The unauthorized person who used the information and to whom it was disclosed. 3) Was the information actually acquired/viewed. 4) Extent of risk mitigation. -Federal Trade Commission (FTC) enforced rules apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the Health Information Technology for Economic and Clinical Health (HITECH Act). -For HITECH Information: https://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/index.html -https://www.hhs.gov/hipaa
HIPAA Covered Entities & Business Associates
-HIPAA Rules apply to covered entities and business associates. -Definition of Covered entities: Health Care Providers, Health Plans, Health Care Clearing House. Additionally, business associates are directly liable for compliance for certain HIPAA provisions. -Health Care Providers: Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies; only if they transmit electronic information with an HHS approved standard transaction. -Health Plan: Health insurance companies, HMOs, Company Health Plans, Government Programs that pay for health care (Medicare, Medicaid, Veteran Programs). -Health Care Clearinghouse: Entities that process nonstandard health information received from another entity into a standard electronic format (vice versa). -Covered entities/business associates unable to meet the definition: HIPAA Compliance is unrequited (45 CFR 160.103). -https://www.hhs.gov/hipaa
HIPAA and HHS: Public Law 104-191
-Health Insurance and Portability Act (HIPAA) -US Department of Health and Human Services (HHS) -HIPAA was created to improve efficacy and efficiency of the healthcare system. -Public Law 104-191 encompassed electronic health care transactions and code sets, unique health identifiers, and security provisions that required these standards to be implemented at national level by HHS. -Congress then mandated Federal privacy protections for individually identifiable health information (due to the possibility of electronic technology advances that could diminish protection) -https://www.hhs.gov/hipaa
HIPAA Rights for Individuals
-Federal regulations requiring health care providers and health insurance companies to restrict access to our health information to certain covered entities. HIPAA provides rights to health information including individual's right to access and update incorrect information. -Rights for Individuals: Medical Records, Employers and Health Information in the Workplace, Personal Representatives, Family Members and Friends, Court Orders and Subpoenas, Notice of Privacy Practices, Rights to Access -Protection: Information input by doctors, nurses and other health care providers submitted to a medical record pertaining to medical conversations, health insurance, and/or billing. Protected by covered entities. Unable to be shared without individual's authorization. -Covered Entities (Must have Contracts): Health Plans, Most Health Care Providers, Health Care Clearinghouses; Business associates of covered entities -Entities not required to follow HIPAA: Life insurers, Employers, Workers compensation carriers, Most schools and school districts, Many state agencies like child protective service agencies, Most law enforcement agencies, Many municipal offices -https://www.hhs.gov/hipaa