New Omnibus HIPAA Rule
New rights for patient
Tighter definition of HIPAA violations (breaches)
New emphasis by Office of Civil Rights (OCR)
Government to audit HIPAA compliance
New emphasis to on sanctions and fines when HIPAA breaches are
The HIPAA Law
HIPAA, which stand for the America Health Insurance Portability and
Accountability Act, is a set of rules to be followed by doctors, hospital
and other health care providers. HIPAA helps ensure that all medical
records, medical billing, and patient accounts meet certain consistent
standards with regard to documentation, handling and privacy.
Your Facility HIPAA
Compliant for 2014?
Any healthcare provider that electronically stores, processes or transmits
medical records, medical remittances, or certificates must comply with HIPAA
regulations. HIPAA does not require a practice to purchase a computer-based
system as it applies only to electronic medical transactions.
Why do I care?
• Once you are a part of a covered entity, you are responsible to
safeguard all Protected Health Information (PHI). Whether it is
transmitted electronically, in paper format or transmitted orally. As an
employee one is responsible to protect PHI.
Minimum Necessary PHI
• An organization may share only minimum amount of PHI necessary, except for request made:
• By the patient or as requested by the patient to others
• By the Secretary of the Department of Health & Human Services (DHHS)
• As required by law
• To complete standardized electronic transactions as required by HIPAA
• An organization is a covered entity and may share PHI for:
• Treatment, payment and health care operation
• Disclosures required by law
• Public health and other governmental reporting
When can you use PHI?
Only to do your job! And on a
“NEED To KNOW BASIS?
For many other uses and disclosures of PHI…
An organization must get a sign consent of release from the patient to release any PHI set by the guidelines
by the organization.
It is very important for all employees to know “When in doubt ask!”
Individuals who breach HIPAA policies for any organization will be subjected to the appropriate
discipline. Including termination, loss of job. As a reminder it is not worth it.
HIPAA Changes in 2013
• Updated notices of Privacy Practices
• Patients can request an accounting of all access to their records
• Patients can change their visitation requests as often as they like
• We can use some PHI for fundraising as long as the patient can opt out
• Allowed to disclose student immunizations
• PHI can’t be sold unless patients are told
• Changes in fines for breaches
What are some steps I can
take to ensure I am
• Do not remove PHI from the office, except as necessary to perform you job
• Use caution when faxing information, including verifying the receiver, double-
checking the fax number, use a cover sheet, and calling to confirm that the fax was
• When discussion PHI, talk with a low voice to ensure that no other than the
intended can here what you are discussing.
• When walking away from you workstation “Do not leave the screen open with patient information on”.
• Log – off or lock work stations when not in use
• Do not share passwords or work on someone else’s computer
• Keep offices secure
• Keep all portable storages locked up
• When sending PHI out side of the facility use encryption
When in doubt
Ask management, supervisor
or compliance officer.
Hilo Medical Center, Education Department, 5, September, 2013, 2013 HIPAA Omnibus Rule Training, Retrieved September 30, 2013