HIPAA
Enforcement and Penalties for Non-Compliance
-civil money penalties -criminal penalties
Who must be HIPAA compliant?
-covered healthcare providers (hospitals, clinics, regional health services, individual medical practitioners) who carry out transactions in electronic form -healthcare clearinghouses (billing services, repricing companies, community health management information systems, information systems, and value-added networks) -health plans (including insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities who collect, store or transmit EPHI, or electronic protected health information) -the company's business associates (including private sector vendors and third-party administrators)
Who is included in the health plans that are covered by the Security Rule?
-health -dental -vision -prescription drug insurers -health maintenance organizations ("HMOs") -Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers -long-term care insurers (excluding nursing home fixed-indemnity policies) -Health plans also include employer-sponsored group health plans, government and church- sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
What are the health care entities that are defined by HIPPA?
-health plans -health care clearinghouses -health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards
When can a HCP share information with a family member, friend?
-if when given the opportunity, the patient does not object -if HCP using profession judgement decides the patient would not object -if the person needs to know about the patients care or payment for care
What information is protected for each individual?
-information your doctors, nurses, and other health care providers -put in your medical record -conversations your doctor has about your care or treatment with nurses and others -information about you in your health insurer's computer system -billing information about you at your clinic -most other health information about you held by those who must follow these laws
When a covered entity is decking which security measures to use, the Security Rule does not dictate measures but requires the entity to consider
-its size, complexity, and capabilities -its technical, hardware, and software infrastructure -the costs of security measures -the likelihood and possible impact of potential risks to e-PHI
HIPPA protects information that alone or combined may identify a patient, the patients relative, employer or household members. What are some examples of this information?
-name -address -birthday -phone numbers -fax numbers -email address -social security number -medical record number -health plan beneficiary number -account number -voice recordings -photographic images
What are some places you might find patient information?
-patient status board -financial records -fax sheets -data used for research purposes -patients identification bracelet -prescription bottle labels -photo or video of a patient
What two government funded provrams are not health plans?
-those whose principal purpose is not providing or paying the cost of health care, such as food stamps -those programs whose principal activity is directly providing health care, such as a community health center, or the making of grants to fund the direct provision of health care
Civil Money Penalties
-unintentional HIPPA violations could result in: $100 fine per violation, up to $25000 for multiple violations of the same standard in a calendar year
When can a HCP share relevant information?
-you give your provider or plan permission to share the information -you are present and do not object to sharing the information -you are not present, and the provider determines based on professional judgement that it 's in your best interest
What are a patients rights under HIIPA?
1. Access to Information - A person can request and receive a copy of their health information and may request that copy be in electronic form. The covered entity may charge a reasonable fee for providing the copy either in paper or electronic form. 2. Amend information - A person may ask for their information to be amended to correct errors but covered entities are only responsible for making changes in the records that they created. 3. Accounting of disclosures - An individual may request a list of all the times their information was released improperly. 4. Notice of Privacy Practices - An individual has the right to receive a written notice of privacy practices from covered entities that details rights of the individual and duties of the covered entity under HIPAA.
What should you do if you observe someone wrongfully disclosing PHI?
1. talk to the person who is disclosing PHI. 2. talk to your supervisor about the situation
Audit Controls
A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls
A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Access Control
A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e- PHI).
Transmission Security
A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Evaluation
A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
Workforce Training and Management
A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
When was HIPAA signed into effect?
August 21, 1996
Information Access Management
Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
When did the law of HIPAA officially become effective?
July 1, 1997
Security Officer
a covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures
What are some technical safeguards?
access control, audit controls, integrity controls, transmission security
How does the Privacy Rule give flexibility to providers and plans?
allows them to create their own privacy procedures (how they teach about privacy to new employees, who the privacy official is) tailored to fit their size and needs
What is a health care plan?
an individual or group plan that provides or pays for the cost of medical care
What is a health care clearinghouse?
an organization (public or private) that acts as a middleman between a provider and the entity that ultimately needs the information
Under the Security Rule, what does availability mean?
e-PHI is accessible and usable on demand by and authorized person
Under the Security Rule, what does integrity mean?
e-PHI is not altered or destroyed in an unauthorized manner
How does the Security Rule define confidentiality?
e-PHI is not available or disclosed to unauthorized persons -requires support of the Privacy Rule's prohibitions against improper uses and disclosures of PHI
What form of individuals protected health information does the privacy rule apply to?
electronic, written, and oral
The privacy rule protects protected health information (PHI) in any form including
email, fax, information on computer, voice, paper
Security Rule
established a national set of security standards for protecting certain health information that is held or transferred in electronic form.
HIPAA
health insurance portability and accountability act
Who does the Security Rule apply to?
health plans, healthcare clearinghouses, and any health care provider who transmits health information in an electronic form.
When can a HCP share information with friends or family if the patient is not present or incapacitated?
if the HCP determines it is in the best interest of the patient BUT may only discuss the information the person involved needs to know about the patients care or payment
Criminal Penalties
knowingly making unauthorized disclosures of PHI may result in: -$50,000 fine -imprisonment of not more than one year -both a fine and imprisonment Offenses which include false pretenses may result in: -$100,000 fine -imprisonment of not more than 5 years -both a fine and imprisonment An offense with the intent to sell information may result in: -$250,000 fine -imprisonment of not more than 10 years -both a fine and imprisonment
What did HIPAA require the Secretary of the US Department of Health and Human Services to develop?
regulations to protect the privacy and security of certain health information
What are recommended safeguards that should be put in place regarding e-PHI?
security officer, information access management, workforce training and management, evaluation
What was the passing of HIPAA said to be?
the most significant act of federal legislation to affect the health care industry since Medicare and Medicaid were rolled
What does the privacy rule establish national standards for?
the protection of certain health information.
What insurance entities are not health plans?
those providing only workers comp, automobile insurance,e and property and casualty insurance
What is the major goal of the Privacy Rule?
to make sure an individuals' health information is properly protected while allowing the flow of health information needed to provide high quality health care and to protect the public's health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of those who need care.
What is a major goal of the Security Rule?
to protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.
True or false: the Security Rule does not apply to PHI transmitted orally or in writing
true -The Security Rule protects information covered by the Privacy Rule, which is all identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form (e-PHI).
When will Health and Human Services not impose a civil money penalty?
when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
If you wrongfully disclose PHI what should you do?
write down whose PHI was disclosed, how it was disclosed, to whom, date and time, what was done to correct the problem and inform your supervisor immediately.
Physical safeguards
-A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed. A covered entity must also implement policies and procedures to specify proper use of and access to workstations and electronic media. -A covered entity also must have policies and procedures in place regarding the transfer, removal, disposal, and re-use of electronic media. This will ensure the appropriate protection of e-PHI.
Written security records
-A covered entity must maintain written security policies and procedures and written records of required actions, activities or assessments. -These written security records must be maintained for six years after either the creation date or the last effective date, whichever is most recent. -must periodically review and update its documentation
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. What must covered entities do?
-Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit. -Identify and protect against reasonably anticipated threats to the security or integrity of the information. -Protect against reasonably anticipated, impermissible uses or disclosures. -Ensure compliance by their workforce
What does a risk analysis process include?
-Evaluate the likelihood and impact of potential risks to e-PHI. -Implement appropriate security measures to address the risks identified in the risk analysis. -Document the chosen security measures and, where required, the rationale for adopting those measures. -Maintain continuous, reasonable, and appropriate security protections.
For health care providers and plans, what does the privacy rule require?
-Notify patients about their privacy rights and how their information can be used. -Adopting and implementing privacy procedures for its practice, hospital, or plan. -Training employees so that they understand the privacy procedures. -Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed. -Secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
Privacy vs Security
-Privacy: patients have the right to have their health information protected from unauthorized disclosures -Security: agencies must determine the procedures they will put into place to protect health information.
Employer requests and HIPPA
-The Privacy Rule doesn't prevent your supervisor, human resources worker or others for asking you for a doctors note or other information about your health if your employer needs information to administer sick leave, workers comp, wellness programs or health insurance. -If you employer asks your HCP for information about you, you PCP cant disclose information without your authorization.
Who signed HIPAA into effect?
President Bill Clinton
Disclosing PHI to law enforcement
The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual's written authorization, under specific circumstances including, but not limited to: -To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. -To respond to a request for PHI about a victim of a crime, and the victim agrees. -To report PHI to law enforcement when required by law to do so. -To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct.
