SlideShare a Scribd company logo
1 of 64
Download to read offline
LISA D. SHANNON, RN, JD Understanding  The HIPAA Privacy and Security Laws
OBJECTIVES  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
WHAT IS HIPAA? ,[object Object],[object Object],[object Object],[object Object],[object Object]
SO, HOW HAS HIPAA CHANGED THE  HEALTH CARE PICTURE?
THE HIPAA LAWS HAVE IMPACTED THE HEALTH CARE INDUSTRY BY… ,[object Object],[object Object],[object Object],[object Object]
THE PRIVACY AND SECURITY OF HEALTH INFORMATION ,[object Object],[object Object]
BUT FIRST… A FEW WORKING DEFINITIONS
DEFINITION… WHAT IS A COVERED ENTITY?  ,[object Object]
DEFINITION… WHAT IS A BUSINESS ASSOCIATE? ,[object Object],[object Object]
DEFINITION … PROTECTED HEALTH INFORMATION ,[object Object],[object Object],[object Object],[object Object]
EXAMPLES OF PROTECTED HEALTH INFORMATION  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Examples of PHI include but are not limited to the following:
WHAT DOES INDIVIDUALLY IDENTIFIABLE MEAN? ,[object Object],[object Object]
WHAT ARE SOME FORMS OF PHI? PHI MUST BE PROTECTED REGARDLESS OF ITS FORM OR MEDIUM ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
WHAT IS SECURED PHI? ,[object Object],[object Object],[object Object]
WHAT IS UNSECURED PHI? Unsecured PHI is PHI in paper or electronic form that has not been secured through the use of a technology or methodology  specified by  the Department of Health and Human Services (HHS), that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals.
TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS
TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS ,[object Object],[object Object],[object Object],[object Object]
EXAMPLES OF TPO: TREATMENT, PAYMENTS, HEALTH CARE OPERATIONS  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
THE MINIMUM NECESSARY PRINCIPLE
DEFINITION… MINIMUM NECESSARY PRINCIPLE ,[object Object]
MINIMUM NECESSARY ,[object Object],[object Object],[object Object],[object Object]
MINIMUM NECESSARY DISCLOSURES ,[object Object],[object Object],[object Object],[object Object],[object Object]
AUTHORIZED USES AND DISCLOSURES OF PHI
WHO CAN REQUEST AND AUTHORIZE THE RELEASE OF PHI? Hierarchy for the authorization and release of PHI.
DEFINITION… WHO IS THE PERSONAL REPRESENTATIVE? ,[object Object],[object Object]
AUTHORIZATION AND DISCLOSURE ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
PHI RIGHTS CREATED BY THE HIPAA PRIVACY LAWS
AN  INDIVIDUAL HAS A RIGHT TO… AN ACCOUNTING OF DISCLOSURES ,[object Object],[object Object],[object Object]
AN INDIVIDUAL  HAS A RIGHT TO…   REQUEST AN AMENDMENT ,[object Object]
AN INDIVIDUAL HAS A RIGHT TO… REQUEST A RESTRICTION ,[object Object],[object Object]
RESTRICTIONS ON DISCLOSURES OF OUT-OF-POCKET SERVICE ,[object Object],[object Object]
DEFINITION… PHI SECURITY REQUIREMENTS ,[object Object]
“ THE AMERICAN RECOVERY & REINVESTMENT ACT” (ARRA) OR “THE ACT”
HIPAA LAW UPDATE – ARRA “ THE AMERICAN RECOVERY AND REINVESTMENT ACT” ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ARRA: 2009 HIPAA AMENDMENTS ,[object Object],[object Object],[object Object],[object Object]
ARRA AND BUSINESS ASSOCIATES ,[object Object],[object Object],[object Object],[object Object],[object Object]
BREACHES OF PHI
WHAT IS A BREACH OF PHI? A “Breach” is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security/privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
WHAT IS NOT A BREACH OF PHI  ,[object Object],[object Object],[object Object],[object Object]
BREACH RISK ASSESSMENT? CEs and BAs are required to perform and document risk assessments on breaches of  unsecured PHI  to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.
Risk Assessment Decision Tree
NEW  SECURITY BREACH NOTIFICATION REQUIREMENT ,[object Object],[object Object],[object Object],[object Object],[object Object]
WHAT MUST THE NOTICE INCLUDE? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
THE NOTICE OF A BREACH OF UNSECURED PHI SHALL… ,[object Object],[object Object],[object Object],[object Object],[object Object]
BUSINESS ASSOCIATE BREACH RESPONSIBILITIES? In the instance of a breach, the Business Associate shall, without unreasonable delay  and in no case,  not later than 60 calendar days after the discovery of a breach, notify the  Covered Entity  of the breach.  The notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during the breach. The Business Associate’s responsibility under the HITECH Act should be included in the Covered Entity’s business associate agreement (BAA) with the Business Associate.
EXCEPTIONS TO THE BREACH NOTIFICATION RULE ,[object Object],[object Object]
SWIMMING IN THE  BREACH NOTIFICATION  SAFE HARBOR? ,[object Object],[object Object],[object Object]
THE BREACH LOG ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ENFORCEMENT & ACCOUNTABILITY
ENFORCEMENT & ACCOUNTABILITY  ,[object Object],[object Object],[object Object]
INCREASED FINES AND PENALTIES ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
STRATEGIES FOR HIPAA COMPLIANCE
STRATEGIES FOR COMPLIANCE  ,[object Object],[object Object],[object Object]
[object Object],[object Object],THE PRIVACY AND SECURITY OF PHI
A BASIC HIPAA COMPLIANCE INITIATIVE The project management and communications arrows surround the phases because these activities are continuous for as long as the implementation project is in progress.
STEP 1. UNDERSTAND HIPAA.  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
STEP 1. UNDERSTAND HIPAA (CONT.).  ,[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],STEP 2. BASELINE THE ORGANIZATION.
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],STEP 3. PLAN REMEDIATION STRATEGIES.
[object Object],[object Object],[object Object],[object Object],STEP 4. REMEDIATE THE ORGANIZATION.
[object Object],[object Object],[object Object],STEP 5. VALIDATE COMPLIANCE.
[object Object],[object Object],[object Object],[object Object],STEP 6. MAINTAIN COMPLIANCE.
QUESTIONS?
THANK YOU FOR YOUR TIME AND ATTENTION ,[object Object],[object Object]

More Related Content

What's hot

Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Nawanan Theera-Ampornpunt
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAAManas Deep
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsAT Internet
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Introduction to the Reference Model for an Open Archival Information System (...
Introduction to the Reference Model for an Open Archival Information System (...Introduction to the Reference Model for an Open Archival Information System (...
Introduction to the Reference Model for an Open Archival Information System (...Michael Day
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research TrainingCynthia Holland
 
Hippa training on confidentiality
Hippa training on confidentialityHippa training on confidentiality
Hippa training on confidentialitycraig45365
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Health care confidentiality and privacy
Health care confidentiality and privacyHealth care confidentiality and privacy
Health care confidentiality and privacysawanda
 

What's hot (20)

Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)
 
Hitech Act
Hitech ActHitech Act
Hitech Act
 
HIPAA
HIPAAHIPAA
HIPAA
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 
Hitech Act
Hitech ActHitech Act
Hitech Act
 
HIPAA
HIPAAHIPAA
HIPAA
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
 
Hipaa for business associates simple
Hipaa for business associates   simpleHipaa for business associates   simple
Hipaa for business associates simple
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliance
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
Introduction to the Reference Model for an Open Archival Information System (...
Introduction to the Reference Model for an Open Archival Information System (...Introduction to the Reference Model for an Open Archival Information System (...
Introduction to the Reference Model for an Open Archival Information System (...
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training
 
Hippa training on confidentiality
Hippa training on confidentialityHippa training on confidentiality
Hippa training on confidentiality
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian Fleetham
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by Qualsys
 
Health care confidentiality and privacy
Health care confidentiality and privacyHealth care confidentiality and privacy
Health care confidentiality and privacy
 

Viewers also liked

Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updatedkkurapat
 
HIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAAHIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAAjbhicks
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Hippa slide show
Hippa slide showHippa slide show
Hippa slide showheathercool
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 
Annual Results and Impact Evaluation Workshop for RBF - Day One - Using Oper...
Annual Results and Impact Evaluation Workshop for RBF - Day One -  Using Oper...Annual Results and Impact Evaluation Workshop for RBF - Day One -  Using Oper...
Annual Results and Impact Evaluation Workshop for RBF - Day One - Using Oper...RBFHealth
 
ARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional MeetingsARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional MeetingsCSW
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementKeySys Health
 
HIPAA Compliance Checklist
HIPAA Compliance ChecklistHIPAA Compliance Checklist
HIPAA Compliance ChecklistLeigh-Ann Renz
 
Sample Business Associate Agreement
Sample Business Associate AgreementSample Business Associate Agreement
Sample Business Associate AgreementJorge M. Abril, P.A.
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceTodd Merrill
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training MDManagement
 

Viewers also liked (20)

Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updated
 
HIPAA
HIPAAHIPAA
HIPAA
 
HIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAAHIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAA
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
Hippa slide show
Hippa slide showHippa slide show
Hippa slide show
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
 
Annual Results and Impact Evaluation Workshop for RBF - Day One - Using Oper...
Annual Results and Impact Evaluation Workshop for RBF - Day One -  Using Oper...Annual Results and Impact Evaluation Workshop for RBF - Day One -  Using Oper...
Annual Results and Impact Evaluation Workshop for RBF - Day One - Using Oper...
 
ARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional MeetingsARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional Meetings
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
 
Hipaa
HipaaHipaa
Hipaa
 
HIPAA Compliance Checklist for Medical Practices
HIPAA Compliance Checklist for Medical PracticesHIPAA Compliance Checklist for Medical Practices
HIPAA Compliance Checklist for Medical Practices
 
ICD Resource Book: a legacy for the Conservation through Poverty Alleviation ...
ICD Resource Book: a legacy for the Conservation through Poverty Alleviation ...ICD Resource Book: a legacy for the Conservation through Poverty Alleviation ...
ICD Resource Book: a legacy for the Conservation through Poverty Alleviation ...
 
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V12010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1
 
HIPAA Compliance Checklist
HIPAA Compliance ChecklistHIPAA Compliance Checklist
HIPAA Compliance Checklist
 
Sample Business Associate Agreement
Sample Business Associate AgreementSample Business Associate Agreement
Sample Business Associate Agreement
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA compliance
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAA
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training
 

Similar to HIPAA Audio Presentation

Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiAtlantic Training, LLC.
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarcEtienne6
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPAtlantic Training, LLC.
 
Mha 690 week one discussion ii
Mha 690 week one discussion iiMha 690 week one discussion ii
Mha 690 week one discussion iibeleza1669
 
Mha 690 week one discussion ii
Mha 690 week one discussion iiMha 690 week one discussion ii
Mha 690 week one discussion iibeleza1669
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 Meg Oser
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2martykoepke
 
Introduction to HIPAA and Confidentiality for Employees
Introduction to HIPAA and Confidentiality for EmployeesIntroduction to HIPAA and Confidentiality for Employees
Introduction to HIPAA and Confidentiality for EmployeesHouse of New Hope
 
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardHIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardAtlantic Training, LLC.
 
HIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis SpencerHIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis Spencershay1234
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 

Similar to HIPAA Audio Presentation (20)

Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUP
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 
Mha 690 week one discussion ii
Mha 690 week one discussion iiMha 690 week one discussion ii
Mha 690 week one discussion ii
 
Mha 690 week one discussion ii
Mha 690 week one discussion iiMha 690 week one discussion ii
Mha 690 week one discussion ii
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2
 
Introduction to HIPAA and Confidentiality for Employees
Introduction to HIPAA and Confidentiality for EmployeesIntroduction to HIPAA and Confidentiality for Employees
Introduction to HIPAA and Confidentiality for Employees
 
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardHIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
 
HIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis SpencerHIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis Spencer
 
CONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.pptCONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.ppt
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
 

Recently uploaded

Unit I herbs as raw materials, biodynamic agriculture.ppt
Unit I herbs as raw materials, biodynamic agriculture.pptUnit I herbs as raw materials, biodynamic agriculture.ppt
Unit I herbs as raw materials, biodynamic agriculture.pptPradnya Wadekar
 
Different drug regularity bodies in different countries.
Different drug regularity bodies in different countries.Different drug regularity bodies in different countries.
Different drug regularity bodies in different countries.kishan singh tomar
 
Physiology of Smooth Muscles -Mechanics of contraction and relaxation
Physiology of Smooth Muscles -Mechanics of contraction and relaxationPhysiology of Smooth Muscles -Mechanics of contraction and relaxation
Physiology of Smooth Muscles -Mechanics of contraction and relaxationMedicoseAcademics
 
Neurological history taking (2024) .
Neurological  history  taking  (2024)  .Neurological  history  taking  (2024)  .
Neurological history taking (2024) .Mohamed Rizk Khodair
 
pA2 value, Schild plot and pD2 values- applications in pharmacology
pA2 value, Schild plot and pD2 values- applications in pharmacologypA2 value, Schild plot and pD2 values- applications in pharmacology
pA2 value, Schild plot and pD2 values- applications in pharmacologyDeepakDaniel9
 
AORTIC DISSECTION and management of aortic dissection
AORTIC DISSECTION and management of aortic dissectionAORTIC DISSECTION and management of aortic dissection
AORTIC DISSECTION and management of aortic dissectiondrhanifmohdali
 
Generative AI in Health Care a scoping review and a persoanl experience.
Generative AI in Health Care a scoping review and a persoanl experience.Generative AI in Health Care a scoping review and a persoanl experience.
Generative AI in Health Care a scoping review and a persoanl experience.Vaikunthan Rajaratnam
 
Clinical Research Informatics Year-in-Review 2024
Clinical Research Informatics Year-in-Review 2024Clinical Research Informatics Year-in-Review 2024
Clinical Research Informatics Year-in-Review 2024Peter Embi
 
PAIN/CLASSIFICATION AND MANAGEMENT OF PAIN.pdf
PAIN/CLASSIFICATION AND MANAGEMENT OF PAIN.pdfPAIN/CLASSIFICATION AND MANAGEMENT OF PAIN.pdf
PAIN/CLASSIFICATION AND MANAGEMENT OF PAIN.pdfDolisha Warbi
 
BENIGN BREAST DISEASE
BENIGN BREAST DISEASE BENIGN BREAST DISEASE
BENIGN BREAST DISEASE Mamatha Lakka
 
ANATOMICAL FAETURES OF BONES FOR NURSING STUDENTS .pptx
ANATOMICAL FAETURES OF BONES  FOR NURSING STUDENTS .pptxANATOMICAL FAETURES OF BONES  FOR NURSING STUDENTS .pptx
ANATOMICAL FAETURES OF BONES FOR NURSING STUDENTS .pptxWINCY THIRUMURUGAN
 
EXERCISE PERFORMANCE.pptx, Lung function
EXERCISE PERFORMANCE.pptx, Lung functionEXERCISE PERFORMANCE.pptx, Lung function
EXERCISE PERFORMANCE.pptx, Lung functionkrishnareddy157915
 
CONNECTIVE TISSUE (ANATOMY AND PHYSIOLOGY).pdf
CONNECTIVE TISSUE (ANATOMY AND PHYSIOLOGY).pdfCONNECTIVE TISSUE (ANATOMY AND PHYSIOLOGY).pdf
CONNECTIVE TISSUE (ANATOMY AND PHYSIOLOGY).pdfDolisha Warbi
 
Role of Soap based and synthetic or syndets bar
Role of  Soap based and synthetic or syndets barRole of  Soap based and synthetic or syndets bar
Role of Soap based and synthetic or syndets barmohitRahangdale
 
ORAL HYPOGLYCAEMIC AGENTS - PART 2.pptx
ORAL HYPOGLYCAEMIC AGENTS  - PART 2.pptxORAL HYPOGLYCAEMIC AGENTS  - PART 2.pptx
ORAL HYPOGLYCAEMIC AGENTS - PART 2.pptxNIKITA BHUTE
 
Male Infertility, Antioxidants and Beyond
Male Infertility, Antioxidants and BeyondMale Infertility, Antioxidants and Beyond
Male Infertility, Antioxidants and BeyondSujoy Dasgupta
 
power point presentation of Clinical evaluation of strabismus
power point presentation of Clinical evaluation  of strabismuspower point presentation of Clinical evaluation  of strabismus
power point presentation of Clinical evaluation of strabismusChandrasekar Reddy
 

Recently uploaded (20)

Unit I herbs as raw materials, biodynamic agriculture.ppt
Unit I herbs as raw materials, biodynamic agriculture.pptUnit I herbs as raw materials, biodynamic agriculture.ppt
Unit I herbs as raw materials, biodynamic agriculture.ppt
 
Different drug regularity bodies in different countries.
Different drug regularity bodies in different countries.Different drug regularity bodies in different countries.
Different drug regularity bodies in different countries.
 
Physiology of Smooth Muscles -Mechanics of contraction and relaxation
Physiology of Smooth Muscles -Mechanics of contraction and relaxationPhysiology of Smooth Muscles -Mechanics of contraction and relaxation
Physiology of Smooth Muscles -Mechanics of contraction and relaxation
 
Neurological history taking (2024) .
Neurological  history  taking  (2024)  .Neurological  history  taking  (2024)  .
Neurological history taking (2024) .
 
pA2 value, Schild plot and pD2 values- applications in pharmacology
pA2 value, Schild plot and pD2 values- applications in pharmacologypA2 value, Schild plot and pD2 values- applications in pharmacology
pA2 value, Schild plot and pD2 values- applications in pharmacology
 
AORTIC DISSECTION and management of aortic dissection
AORTIC DISSECTION and management of aortic dissectionAORTIC DISSECTION and management of aortic dissection
AORTIC DISSECTION and management of aortic dissection
 
Generative AI in Health Care a scoping review and a persoanl experience.
Generative AI in Health Care a scoping review and a persoanl experience.Generative AI in Health Care a scoping review and a persoanl experience.
Generative AI in Health Care a scoping review and a persoanl experience.
 
Clinical Research Informatics Year-in-Review 2024
Clinical Research Informatics Year-in-Review 2024Clinical Research Informatics Year-in-Review 2024
Clinical Research Informatics Year-in-Review 2024
 
PAIN/CLASSIFICATION AND MANAGEMENT OF PAIN.pdf
PAIN/CLASSIFICATION AND MANAGEMENT OF PAIN.pdfPAIN/CLASSIFICATION AND MANAGEMENT OF PAIN.pdf
PAIN/CLASSIFICATION AND MANAGEMENT OF PAIN.pdf
 
BENIGN BREAST DISEASE
BENIGN BREAST DISEASE BENIGN BREAST DISEASE
BENIGN BREAST DISEASE
 
ANATOMICAL FAETURES OF BONES FOR NURSING STUDENTS .pptx
ANATOMICAL FAETURES OF BONES  FOR NURSING STUDENTS .pptxANATOMICAL FAETURES OF BONES  FOR NURSING STUDENTS .pptx
ANATOMICAL FAETURES OF BONES FOR NURSING STUDENTS .pptx
 
EXERCISE PERFORMANCE.pptx, Lung function
EXERCISE PERFORMANCE.pptx, Lung functionEXERCISE PERFORMANCE.pptx, Lung function
EXERCISE PERFORMANCE.pptx, Lung function
 
Rheumatoid arthritis Part 1, case based approach with application of the late...
Rheumatoid arthritis Part 1, case based approach with application of the late...Rheumatoid arthritis Part 1, case based approach with application of the late...
Rheumatoid arthritis Part 1, case based approach with application of the late...
 
CONNECTIVE TISSUE (ANATOMY AND PHYSIOLOGY).pdf
CONNECTIVE TISSUE (ANATOMY AND PHYSIOLOGY).pdfCONNECTIVE TISSUE (ANATOMY AND PHYSIOLOGY).pdf
CONNECTIVE TISSUE (ANATOMY AND PHYSIOLOGY).pdf
 
Role of Soap based and synthetic or syndets bar
Role of  Soap based and synthetic or syndets barRole of  Soap based and synthetic or syndets bar
Role of Soap based and synthetic or syndets bar
 
Immune labs basics part 1 acute phase reactants ESR, CRP Ahmed Yehia Ismaeel,...
Immune labs basics part 1 acute phase reactants ESR, CRP Ahmed Yehia Ismaeel,...Immune labs basics part 1 acute phase reactants ESR, CRP Ahmed Yehia Ismaeel,...
Immune labs basics part 1 acute phase reactants ESR, CRP Ahmed Yehia Ismaeel,...
 
GOUT UPDATE AHMED YEHIA 2024, case based approach with application of the lat...
GOUT UPDATE AHMED YEHIA 2024, case based approach with application of the lat...GOUT UPDATE AHMED YEHIA 2024, case based approach with application of the lat...
GOUT UPDATE AHMED YEHIA 2024, case based approach with application of the lat...
 
ORAL HYPOGLYCAEMIC AGENTS - PART 2.pptx
ORAL HYPOGLYCAEMIC AGENTS  - PART 2.pptxORAL HYPOGLYCAEMIC AGENTS  - PART 2.pptx
ORAL HYPOGLYCAEMIC AGENTS - PART 2.pptx
 
Male Infertility, Antioxidants and Beyond
Male Infertility, Antioxidants and BeyondMale Infertility, Antioxidants and Beyond
Male Infertility, Antioxidants and Beyond
 
power point presentation of Clinical evaluation of strabismus
power point presentation of Clinical evaluation  of strabismuspower point presentation of Clinical evaluation  of strabismus
power point presentation of Clinical evaluation of strabismus
 

HIPAA Audio Presentation

  • 1. LISA D. SHANNON, RN, JD Understanding The HIPAA Privacy and Security Laws
  • 2.
  • 3.
  • 4. SO, HOW HAS HIPAA CHANGED THE HEALTH CARE PICTURE?
  • 5.
  • 6.
  • 7. BUT FIRST… A FEW WORKING DEFINITIONS
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. WHAT IS UNSECURED PHI? Unsecured PHI is PHI in paper or electronic form that has not been secured through the use of a technology or methodology specified by the Department of Health and Human Services (HHS), that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals.
  • 16. TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS
  • 17.
  • 18.
  • 20.
  • 21.
  • 22.
  • 23. AUTHORIZED USES AND DISCLOSURES OF PHI
  • 24. WHO CAN REQUEST AND AUTHORIZE THE RELEASE OF PHI? Hierarchy for the authorization and release of PHI.
  • 25.
  • 26.
  • 27. PHI RIGHTS CREATED BY THE HIPAA PRIVACY LAWS
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33. “ THE AMERICAN RECOVERY & REINVESTMENT ACT” (ARRA) OR “THE ACT”
  • 34.
  • 35.
  • 36.
  • 38. WHAT IS A BREACH OF PHI? A “Breach” is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security/privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
  • 39.
  • 40. BREACH RISK ASSESSMENT? CEs and BAs are required to perform and document risk assessments on breaches of unsecured PHI to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.
  • 42.
  • 43.
  • 44.
  • 45. BUSINESS ASSOCIATE BREACH RESPONSIBILITIES? In the instance of a breach, the Business Associate shall, without unreasonable delay and in no case, not later than 60 calendar days after the discovery of a breach, notify the Covered Entity of the breach. The notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during the breach. The Business Associate’s responsibility under the HITECH Act should be included in the Covered Entity’s business associate agreement (BAA) with the Business Associate.
  • 46.
  • 47.
  • 48.
  • 50.
  • 51.
  • 52. STRATEGIES FOR HIPAA COMPLIANCE
  • 53.
  • 54.
  • 55. A BASIC HIPAA COMPLIANCE INITIATIVE The project management and communications arrows surround the phases because these activities are continuous for as long as the implementation project is in progress.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 64.

Editor's Notes

  1. HIPAA is a Federal law that sets national standards for how most health care providers must protect the privacy of a patient’s health information. Initial thrust – standardize electronic transactions and Code Sets.
  2. There was a time, when access to your medical records was largely up to your health care provider
  3. Prior to the HIPAA rules, your private health information really was not all that private, this information could legally be sold or accessed. this information could be used to determine your life insurance premiums or even your mortgage rate!
  4. Blood Banking Service versus a Medical transcriptionist
  5. For Example: Medical Record numbers – in a silo, they would have no meaning but this is information that if used in the appropriate setting “could reasonably be expected” to identify an individual. Though not actual health information – the point is that individually identifiable information is information that can be linked back to the individual and their health information.
  6. These are the only two methods that have been approved by the Department of Health and Human services to secure PHI.
  7. When PHI can be used or disclosed along with other legally required purposes (e.g., criminal investigations)
  8. Treatment – a discussion by the Attending physician with a consulting physician about a proposed treatment plan for the patient Health Care Operations – Quality and Process Improvement purposes
  9. How PHI must be used or disclosed
  10. That require prior authorization from the patient or his/her personal representative
  11. Discuss the state pre-emption as it relates to common-law spouses.
  12. Durable Power of Attorney and Health Care Powers of Attorney This designation trumps the marital relationship and why
  13. Best Practice is to develop a standardized authorization to release form that includes the required language.
  14. Earlier I mentioned that as a result of the HIPAA laws a patient had greater access to and control over their PHI, in this section I’d like to detail those rights.
  15. Just as the patient has the right to access his or her PHI he or she has a right to know who else has accessed their PHI. The HIPAA Privacy Compliance date was April 14, 2003
  16. Alcoholism, drug abuse etc.
  17. Additional Burden
  18. Disclosures for payment purposes – can request that out of pocket services not be disclosed to an insurance company for payment evaluations.
  19. The HIPAA Security laws apply specifically to ePHI or electronic PHI Regardless of how it is stored paper, electronic, photographs and radiographic among other things. For Example: Access to the Medical Records Department is locked and restricted to those authorized to enter; or Electronic PHI is encrypted so that if it were inadvertently intercepted it would be useless to the interceptor.
  20. Federal privacy/security laws (HIPAA) were expanded to protect patient health information. HIPAA privacy and security laws now apply directly to business associates of covered entities. Defines actions that constitute a breach of patient health information (including inadvertent disclosures) and requires notification to patients if their health information is breached. Allows patients to pay out of pocket for a health care item or service in full and to request that the claim not be submitted to the health plan. As I mentioned earlier provide patients, upon request, an accounting of disclosures of health information. Prohibits the sale of a patient’s health information without the patient’s written authorization, except in limited circumstances involving research or public health activities. Prohibits covered entities from being paid to use patients’ health information for marketing purposes without patient authorization, except limited communication to a patient about a drug or biologic that the patient is currently being prescribed. Requires personal health record (PHR) vendors to notify individuals of a breach of patient health information. Non-covered HIPAA entities such as Health Information Exchanges, Regional Health Information Organizations, e-Prescribing Gateways, and PHR vendors are required to have business associate agreements with covered entities for the electronic exchange of patient health information. Authorizes increased civil monetary penalties for HIPAA violations. Grants enforcement authority to state attorneys general to enforce HIPAA.
  21. Best Practice includes assembling a data base of all business associate agreements Provide addenda to all existing BAAs and develop a BAA template that includes the new HIPAA HITECH requirements. Blood Bank issue – notice of intent to terminate the business associate agreement.
  22. As a result of the ARRA came the National Breach Notification Rules. Most states have had privacy laws on the books for some time and within these laws were specific procedures for notification subsequent to a breach of private information. For Example: Some states have specific time frames where others follow the federal guidelines of “without unreasonable delay and in no case longer than 60 days”.
  23. The radiology department accidently faxes a patient’s Head CT report to the Dietary Department, this is not a Breach of PHI IF, the Dietary notifies Radiology and then places the PHI in a locked shred box. In this instance, by placing the PHI in the shred box, the Dietary department has ensured that there will be no further use or disclosure of that PHI.
  24. Notably, not all breaches require patient notification. In the event of an alleged breach, a risk assessment must be done regarding the type of information that was improperly used or disclosed. The CE or BA must: Determine whether there has been an impermissible use or disclosure of PHI (as defined by the HIPAA Privacy Rule) Determine and document whether the impermissible use or disclosure compromises the security or privacy of the PHI; and If necessary, determine whether the incident falls under one of the (3) exceptions – where no notification is required. Exceptions: If the PHI is improperly disclosed to another HIPAA CE; If the CE or BA immediately takes steps to mitigate the impermissible use or disclosure; or If the PHI is returned before it can be improperly accessed.
  25. Best Practice is to develop a Breach notification letter template Pre-establish the steps those affected would need to follow in the event of a breach Redemption Codes for Identity theft protection plans or more detailed breach reaction services – on-going services wherein specially trained customer service representatives
  26. Don’t forget the state pre-emption analysis!
  27. Here the requirement is that the BA notify the Covered Entity, as I indicated on the previous slide, it is the responsibility of the CE to notify the affected party. There is nothing to preclude the BA from participating in the notification process. For Example: A contracted dialysis service has a computer stolen from the dialysis lab, this computer contains PHI that belongs to the host hospital but is being used by the dialysis service for treatment purposes. The dialysis service is required to notify the host hospital (CE) of the breach and with the permission of the host hospital, the dialysis service may participate in notifying those affected because of the pre-existing relationship. The BA is not authorized to notify those affected without the permission of the CE or host hospital.
  28. Along with breaches that fall under the risk assessment’s three exceptions, there is also a Safe Harbor from the breach notification requirement.
  29. As we discussed previously, secured ePHI has been encrypted or if in paper format secured by a method consistent with the HIPAA Privacy and Security rules In a locked secure area, protected from unauthorized access, use or disclosure and other recommended methods. Unsecured PHI – the converse Best Practice is to secure PHI
  30. The breach log should also include a summary of the risk assessment performed to determine this is or was a reportable breach.
  31. The HIPAA laws have also resulted in more stringent enforcement and accountability standards.
  32. The April edition of the Guide to Medical Privacy and HIPAA reports that a major insurer has spent 7 million dollars and counting, to mitigate the largest reported data breach in history. 57 company hard drives were stolen from a leased facility, resulting in the largest reported breach since the HITECH notifications requirements took effect. The hard drives contained information that was encoded, but not encrypted. The breached files contained recordings of telephone calls between providers and the company’s customer service representatives relating to eligibility and coordination of care. The 7 million dollars has been spent on credit and identity monitoring services, security audits and the cost of employees to investigate and analyze hundreds of thousands of breached files.
  33. I’d like to leave you with some strategies for HIPAA compliance
  34. at the most basic level compliance strategies must be based upon…
  35. although the HIPAA rules are complicated in their construction, surprisingly most of the laws are based upon common sense and treating the information as if it belonged to you.
  36. Find out or establish where your organization is right now on the Compliance continuum.