HIPAA

IN 1996 CONGRESS ENACTED THE HEALTH INSURANCE APPORTABILITY AND ACCOUNTABILITY ACT

The primary purposes of HIPAA are:

1.To help people from losing their health insurance if they change jobs or have pre-existing health conditions

2.To reduce healthcare and administrative costs by creating standard electronic formats

3. To develop standards and requirements to protect the privacy and security of personal health information

Upon passage of HIPAA the department of Health and Human Services was required to issue two separate regulations

The first is the privacy rule.

The privacy rule was enacted to hold health care facilities and physicians accountable for ensuring patient information be confidential

These processes include medical , administrative and technical to safeguard patient information and how it is stored

HIPAA covers a broad scope and touches just about every entity related to personal health information

Entities include:Healthcare Plans, Healthcare Providers, Healthcare Clearinghouses, Business Associates including auditors, attorney's billing firms, and other entities who might have access to personal health information

The HIPAA privacy rule allows the use and disclosure of protected health information without an individuals authorization for the following purposes or situations:

Untitled Slide

• To the individual or their authorized representative;
• For treatment, payment or health care operations
• when the individual has the opportunity to agree or object such as when the patient brings another person into the exam room or for an office visit
• Incidental to an otherwise permitted use
• For the purpose of research or public health

Notice of Privacy Practices must inform patients of;The uses and disclosures of PHI that the entity may make, the patients right to access and amend their medical information and the covered entity's responsibility to PHI

Once it has obtained acknowledgement or made a good faith effort to do so the entity may;Use PHI for it's own treatment, payment or health care operations Disclose PHI to other covered entities for their treatment, payment or certain limited healthcare operations.

A health related newsletter that a covered entity distributes newsletters to patients to inform them about new healthcare developments would not be considered marketing under the privacy rule.

The privacy rule also allows incidental disclosers of PHI as long as the covered entity uses reasonable safeguards and adheres to "minimum necessary" standards

The privacy rule requires the following administrative safeguards to ensure that PHI is not compromised:

A Privacy officer to be responsible for the development and implementation of privacy policies and the receiving of complaints

Violations: Implementing rules for addressing violations of privacy security and transaction regulations including establishing a process for making complaints and preventing retaliation against anyone who reports a HIPAA violation

Security rule requirements include:

A security Officer: Designating a security officer to be responsible for the development, implementation and evaluations of security policies.

Security rule requirements include: Risk Analysis, Technical Evaluations and implementation of procedures to ensure computers are secure from intrusion

Risk Management: Implement security measures sufficient enough to reduce risk and vulnerabilities to a reasonable and appropriate level to comply with HIPAA requirements

A Sanction Policy: Applying appropriate sanctions against employees who do not comply with HIPAA policies and procedures

information system Activity Review:

Implement procedures to regularly review records of system information such as audit logs access reports and security incident tracking reports

Employee Security:

Develop a plan for granting and limiting different levels of access to PHI including clearance procedures and termination procedures

Business Associate Agreements: Agreements with external recipients of PHI confirming they will protect the confidentiality of protected data exchanged

A Contingency Plan: A plan for responding to system emergencies including the performance of back-ups emergency mode operations and disaster recovery procedures

Untitled Slide

Security rule requirements include:

Security incident procedures instructions or reporting and dealing with security breaches

Physical safeguards including the following:

Facility access controls develop a security plan that deters intruders from accessing environments where sensitive information resides

Physical safeguards include the following: Guidelines on workstations and security: procedures describing the proper function to be performed on computers and how to handle sensitive information that may be displayed on computer screens.

Media Controls: A set of procedures that govern the receipt and removal of hardware and software such as disks, memory sticks, laptops and PDA's as well as procedures for off site data back up.

Technical Safeguards for PHI including: Access controls to ensure sensitive information is available on a need to know basis depending on user responsibilities.

Audit Controls: Controls to record and examine system activity helping to eliminate unnecessary access to sensitive information

Data Authentication: Controls to help insure health data has not been altered in an unauthorized manner.

Person or entity authentication: Controls to ensure that data is sent to the intended recipient and received by the intended party. The controls include password protection, PIN numbers and when sent over public networks, encryption.

Transmission security: Sending PHI via email and fax.

HIPAA non compliance could lead to civil and criminal charges up to $1.5 million dollars and include imprisonment.

Remember:

Keep PHI confidential and on a need to know basis.

If you find a breach report it to your supervisor immediately

Make sure you safeguard clients personal information at all times.