Health Insurance Portability andAccountability Act (HIPAA) Training Karen Meyer, RN, BSN, CIC MHA690 – Healthcare Capstone Ashford University Instructor: Hwang-Ji Lu February 28, 2013
What is HIPAA?O HIPAA requires health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared (California Department of Healthcare Services, n.d.).O This applies to all forms of PHI, including written, oral, electronic, photographic images, audio, and video.
What is PHI?O Any individually identifiable health information: O Created or received by covered entity or business associate. O Relates to past, present, or future physical or mental health or condition of an individual. O Transmitted in any form or medium.
Examples of PHI Device identifiers and serial numbers Social Email security Account addresses URLs numbers numbers Names Photographs Medical Fax IP record License numbers addressGeographical numbers numbers identifiers numbers Any other unique Health identifying Phone Insurance Vehicle Biometric number Dates numbers numbers identifiers identifiers
HIPAA Enforcement and PenaltiesO The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for enforcing privacy rule standards.O Criminal Penalties:Wrongfully accessing or disclosing PHI Up to $50,000 Up to 1 year imprisonmentObtaining PHI under false pretenses Up to $100,000 Up to 5 years imprisonmentIf wrongful conduct involves the intent Up to $250,000 Up to 10 years imprisonmentto sell, transfer, or use PHI forcommercial advantage, personal gain,or malicious harmReference: U.S. Department of Health & Human Services (2003).
HIPAA Permitted Uses and Disclosures of PHIO PHI may be used and disclosed to facilitate treatment, payment, and healthcare operations which means: O HI may be disclosed to other providers for treatment. O PHI may be disclosed to other covered entities for payment. O PHI may be disclosed to other covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing, and compliance. O PHI may be disclosed to individuals involved in a patient’s care or payment for care unless the patient objects.
Rules for AccessO Access to computer systems and information is based on your work duties and responsibilities.O Access privileges are limited to only the minimum necessary information you need to do your work.O Access to an information system does not automatically mean that you are authorized to view or use all the data in that system.O If job duties change, clearance levels for access to ePHI is re-evaluated.O Access is eliminated if employee is terminated.O Accessing ePHI for which you are not cleared or for which there is no job-related purpose will subject you to sanctions.
Rules for Protecting InformationO Do not allow unauthorized persons into restricted areas where access to PHI or ePHI could occur.O Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public.O Log in with password, log off prior to leaving work area, and do not leave computer unattended.O Close files not in use/turn over paperwork containing PHI.O Do not duplicate, transmit, or store PHI without appropriate authorization.O Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization.
ConclusionO All employees are required to follow HIPAA and will be held accountable for their actions.O ALWAYS follow the rules for access and rules for protecting information.
ReferencesCalifornia Department of Healthcare Services. (n.d.). Health insurance portability and accountability act. Retrieved from http://www.dhcs.ca.gov/formsandpubs/laws/hipaa /Pages/1.00%20WhatisHIPAA.aspxU.S. Department of Health and Human Services. (2003). Summary of the HIPAA privacy rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understandi ng/summary/privacysummary.pdf