HIPAA: What is it? HIPAA does the following: Creates standards for protecting the privacy of health information Creates standards for the security of health information Creates standards for electronic exchange of health information
What is Covered by hipaa? Protected Health InformationThe HIPAA privacy rule covers and sets standards for the collecting, sharing and storing of a person’s Protected Health Information, or PHI, for short. PHI is information that: Relates to past, present or future physical or mental health or condition, payments and provisions about healthcare. Identifies the individual in a personal way. Provides a reasonable basis to be used to identify the individual. Is created or received by a Covered Entity.
What is private health information? Protected health information (PHI) is: Individually identifiable health information Transmitted or maintained in any form or medium by a Covered Entity or its Business Associate Health information, including demographic information Relates to an individual’s physical or mental health or the provision of or payment for health care Identifies the individual
Types Of PHI Billing Information Medical Insurance Forms Prescriptions Patient Charts/Records (Paper or Electronic)
What does hipaa apply to? Forms Spoken Communication E-mails Faxes
Protecting phi with hipaa means: Removal of certain identifiers so that the individual who is subject of the PHI may no longer be identified Application of statistical method or Stripping of listed identifiers such as: Names Geographic subdivisions < state All elements of dates SSNs Not discussing PHI with anyone, other than those directly responsible for providing health care (provider, clinician, technician, etc.)
Patient’s Rights Patients have the right to obtain and amend their PHI to: Request restrictions on uses and disclosures, Request more confidential communications, Receive an accounting of disclosures, Complain about privacy violations Use and disclosure of PHI: Patients have the right to know how their PHI Patients are entitled to know how their PHI will be used and who will receive their PHI. Patients have a right to see privacy disclosures regarding their PHI
Special Rules of Hipaa Special rules for certain types of entities: Some Covered Entities have additional privacy regulations covering areas like directories, marketing and fund raising. Administrative requirements of Covered Entities may keep details record-keeping and procedural compliance issues.
Enforcement of hipaa There are potential penalties and fines for noncompliance. Penalties start at $100, and can be as strict as $25,000 per year If an employee or patient makes a complaint, it will be investigated, and if necessary, subsequent corrective action will follow. Covered Entities or programs will have a process to receive and investigate complaints.
Anti-Retaliation policy Retaliation against anyone who may file a complaintis strictly prohibited Individuals may file a complaint with either the Covered Entity or the U.S. Department of Health and Human Services.
Reasonable Physical and Technological Safeguards Telephones – How do you know the person you are talking to is authorized to receive an employee’s PHI? Disposing of PHI – When you dispose of PHI (both hard copy and electronic) how can you be certain that it is appropriately destroyed? E-mail – How can you be sure PHI is secure when it’s sent via e-mail? Fax machines – When faxing PHI, how can you be sure the right person will read it on the other end? Mail – Sending PHI through the mail may have restrictions. Storing PHI – Safeguarding PHI on computer databases, file cabinets, even laptop computers will have to follow procedure.
What does this mean to you? Do not let anyone use your username and password Log off of your computer, when you walk away from it, Do not use anyone else’s username and password Do not discuss private health information of any patient outside of the care setting Do not discuss private health information of any patient with someone other than a direct care giver Do not look up any health records, unless it is a patient under your care and the information is for the purpose of providing patient care Do not look up your own private health information