SlideShare a Scribd company logo

HM480 Ab103318 ch11

Download as PPTX, PDF
B
BealCollegeOnline

HM480

Education
1 of 33
© 2020 AHIMA ahima.orgahima.org Health Information Management: Concepts, Principles, and Practice Sixth Edition Chapter 11 Data Privacy, Confidentiality, and Security
© 2020 AHIMA ahima.org Protecting Patient Information • Privacy • Confidentiality • Security
© 2020 AHIMA ahima.org Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Ensures health insurance portability • Establishes standards for electronic claims and national identifiers • Protects against fraud and abuse • Assures the privacy and security of protected health information (PHI)
© 2020 AHIMA ahima.org Title II: HIPAA Administrative Simplification • Privacy Rule • Assures individuals’ health information is properly protected while allowing for quality care • Security Rule • Specifies administrative, technical, and physical security procedures for covered entities to assure the confidentiality, integrity, and availability of electronic PHI
© 2020 AHIMA ahima.org Title II: HIPAA Administrative Simplification • The HITECH-HIPAA Omnibus Privacy Act • Enacted to promote the adoption and meaningful use of health information technology • Breach Notification Rule • Creates a process for covered entities and business associates to investigate and evaluate if a breach occurred for an unauthorized use or disclosure of PHI
© 2020 AHIMA ahima.org Privacy Rule • Uses and disclosures of PHI • Minimum necessary • Business associate agreements • Notice of privacy practices • Patients’ rights • Request privacy protections • Access their health information • Request amendments • Receive an accounting of disclosures • Administrative requirements
© 2020 AHIMA ahima.org Privacy Rule Organizations must implement policies and procedures to address each standard and a process to ensure that they are being followed
© 2020 AHIMA ahima.org Security Rule • Administrative safeguards • Physical safeguards • Technical safeguards • Organizational safeguards • Required vs. addressable standards
© 2020 AHIMA ahima.org Breach Notification Rule • Unauthorized uses and disclosures of PHI at any time may be considered a breach • Requires covered entities and business associates to investigate/evaluate if a breach occurred using specific guidelines/protocols • Risk assessment
© 2020 AHIMA ahima.org HITECH-HIPAA Omnibus Privacy Act • Established to address HITECH requirements • Strengthens privacy and security of PHI • Modifies the breach notification rule • Strengthens privacy protections for genetic information • Makes business associates liable for compliance
© 2020 AHIMA ahima.org HITECH-HIPAA Omnibus Privacy Act • Strengthens limitations on the use and disclosure of PHI for marketing and fundraising • Allows patients increased restriction rights • Allows for authorization of future research studies with appropriate description of how PHI will be used
© 2020 AHIMA ahima.org HIPAA Enforcement • Compliance • Investigations • Penalties for violations • Procedures for hearings • Corrective action plan (CAP) • Civil monetary penalty (CMP) • Reasonable cause • Willful neglect
© 2020 AHIMA ahima.org Disclosure Management • Use • Disclosure • Authorization • Designated record set
© 2020 AHIMA ahima.org Use and Disclosure with Patient Authorization • A valid authorization for disclosure of information is required for the following: • Disclosure of PHI not permitted to be released without an authorization • Psychotherapy notes • Marketing • Sale of PHI • Compound authorizations
© 2020 AHIMA ahima.org Use and Disclosure without Patient Authorization • For the purpose of treatment, payments, or healthcare operations (TPO) • Accounting of disclosures • Deidentification • Expert determination method • Safe harbor method • Reidentification
© 2020 AHIMA ahima.org Use and Disclosure Requiring an Opportunity to Object • The Privacy Rule allows the patient to agree or object to disclosure of PHI within the facility directory • Oral acceptance or objection is acceptable • A clear process should be established to assure all patients are given the right to object to PHI being entered in the directory
© 2020 AHIMA ahima.org Patient Identity Management for Use and Disclosures of PHI • Verification of requestor identity must be completed prior to disclosing any patient information in any format • Best practice recommends that multiple elements are checked with the patient or patient representation for identity verification
© 2020 AHIMA ahima.org Confidentiality of Alcohol and Drug Abuse Patient Records • Must follow Privacy Rule as well as added safeguards due to the sensitive nature of the patient’s care • The Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) • Only allows specific exceptions to the authorization of patient consent • Authorization requires specific components to be valid • Notice of Confidentiality of Alcohol & Drug Abuse Patient Records
© 2020 AHIMA ahima.org State Privacy and Security Laws • Compliance with both federal and state privacy and security regulations required • Preemption • State law • Contrary • Stringent
© 2020 AHIMA ahima.org Managing an Effective Security Program • The HIPAA Security Rule requires organizations to implement a variety of physical, technical, and administrative safeguards to protect patient data • Privacy and security compliance program • Policies and procedures
© 2020 AHIMA ahima.org Assessment of Risk • Risk analysis • Risk management • Implementation of security measures to reduce or eliminate risks • Mitigate the risk • Transfer the risk • Accept the risk • Residual risk • Promoting Interoperability (PI) Program
© 2020 AHIMA ahima.org Audit Logs and Monitoring • Security audit • Audit log • Log-in monitoring
© 2020 AHIMA ahima.org Contingency Planning • Contingency plan (disaster plan) • Prepares organizations for an event that may happen which could impact the ability to access patient information, the integrity of the information, or the confidentiality of information
© 2020 AHIMA ahima.org Contingency Planning (continued) • Data backup plan • Organizations must create and store exact copies of electronic protected health information • Defines how the system is being backed up, the method of backing up the data, location of the backup, frequency of the backup, and testing of the backup
© 2020 AHIMA ahima.org Contingency Planning (continued) • Disaster recovery plan • Defines the processes for recovery of data in the event of a disaster • Emergency mode operation plan • Creates processes and procedures to support the continuation of critical business and patient care operations while protecting the security of ePHI in the event of a disaster
© 2020 AHIMA ahima.org Contingency Planning (continued) • Emergency access • Procedures for getting access to the necessary ePHI in the event of an emergency situation • Software criticality analysis • Assessing systems to determine how crucial the information in the system is to day-to-day healthcare operations and patient care
© 2020 AHIMA ahima.org Data Security Methods • User authentication • Encryption • Data at rest • Data in motion • Decryption • Cryptographic key • Plaintext • Ciphertext
© 2020 AHIMA ahima.org Malicious Software Management • Malware • Virus • Worm • Trojan horse • Logic bomb • Rootkit • Ransomware • Phishing
© 2020 AHIMA ahima.org Privacy and Security in HIE • Challenges • Patient identity/patient matching • Consumer privacy/patient rights • Best practices • Risk analysis • Policies and procedures • Dedicated individual or team • Education of the workforce • Blockchain
© 2020 AHIMA ahima.org Mobile Health Technology • BYOD • Laptop computers • Tablets • Smart phones • USB drives • Wearable technology • External hard drives • Policies and procedures should be established to safeguard mobile technology being used within the organization and to protect ePHI
© 2020 AHIMA ahima.org Workforce Training The HIPAA Privacy and Security Rules require formal education and training of the workforce to ensure ongoing accountability for the privacy and security of PHI
© 2020 AHIMA ahima.org HIPAA Training Components • New employees • Ongoing training and awareness building • Retraining
© 2020 AHIMA ahima.org HIPAA Training Principles and Strategies • Levels of training • Best practices • Documentation

Recommended

HM480 Ab103318 ch10
HM480 Ab103318 ch10HM480 Ab103318 ch10
HM480 Ab103318 ch10
BealCollegeOnline
 
HM480 Ab103318 ch20
HM480 Ab103318 ch20HM480 Ab103318 ch20
HM480 Ab103318 ch20
BealCollegeOnline
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
How to Ensure your Healthcare Organisation is IG compliant
How to Ensure your Healthcare Organisation is IG compliantHow to Ensure your Healthcare Organisation is IG compliant
How to Ensure your Healthcare Organisation is IG compliant
Proofreading4all
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
HM480 Ab103318 ch03
HM480 Ab103318 ch03HM480 Ab103318 ch03
HM480 Ab103318 ch03
BealCollegeOnline
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
 

Recommended

HM480 Ab103318 ch10
HM480 Ab103318 ch10HM480 Ab103318 ch10
HM480 Ab103318 ch10
BealCollegeOnline
 
HM480 Ab103318 ch20
HM480 Ab103318 ch20HM480 Ab103318 ch20
HM480 Ab103318 ch20
BealCollegeOnline
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
How to Ensure your Healthcare Organisation is IG compliant
How to Ensure your Healthcare Organisation is IG compliantHow to Ensure your Healthcare Organisation is IG compliant
How to Ensure your Healthcare Organisation is IG compliant
Proofreading4all
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
HM480 Ab103318 ch03
HM480 Ab103318 ch03HM480 Ab103318 ch03
HM480 Ab103318 ch03
BealCollegeOnline
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
 
HM311 Ab103417 ch13
HM311 Ab103417 ch13HM311 Ab103417 ch13
HM311 Ab103417 ch13
BealCollegeOnline
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 
Things you need to know about info governance to sell healthtech products int...
Things you need to know about info governance to sell healthtech products int...Things you need to know about info governance to sell healthtech products int...
Things you need to know about info governance to sell healthtech products int...
3GDR
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
Valency Networks
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
supportc2go
 
Heathcare IT (HIT) : The Time Is Now
Heathcare IT (HIT) : The Time Is NowHeathcare IT (HIT) : The Time Is Now
Heathcare IT (HIT) : The Time Is Now
Interprise Systems
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance Presentation
Thomas Bronack
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015
Patrick Doyle
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilitues
complianceexpert
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
 
HIPAA Training: Privacy Review and Audit Survival Guide
HIPAA Training: Privacy Review and Audit Survival GuideHIPAA Training: Privacy Review and Audit Survival Guide
HIPAA Training: Privacy Review and Audit Survival Guide
benefitexpress
 
Hi103 week 5 chpt 12
Hi103 week 5 chpt 12Hi103 week 5 chpt 12
Hi103 week 5 chpt 12
BealCollegeOnline
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
JNicholson
 
Ppt
PptPpt
Ppt
Gareth Badrian
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
Kimberly Simon MBA
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 

More Related Content

What's hot

Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
supportc2go
 
Heathcare IT (HIT) : The Time Is Now
Heathcare IT (HIT) : The Time Is NowHeathcare IT (HIT) : The Time Is Now
Heathcare IT (HIT) : The Time Is Now
Interprise Systems
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilitues
complianceexpert
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
 

What's hot (20)

HM311 Ab103417 ch13
HM311 Ab103417 ch13HM311 Ab103417 ch13
HM311 Ab103417 ch13
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
Things you need to know about info governance to sell healthtech products int...
Things you need to know about info governance to sell healthtech products int...Things you need to know about info governance to sell healthtech products int...
Things you need to know about info governance to sell healthtech products int...
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Heathcare IT (HIT) : The Time Is Now
Heathcare IT (HIT) : The Time Is NowHeathcare IT (HIT) : The Time Is Now
Heathcare IT (HIT) : The Time Is Now
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance Presentation
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilitues
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
 
HIPAA Training: Privacy Review and Audit Survival Guide
HIPAA Training: Privacy Review and Audit Survival GuideHIPAA Training: Privacy Review and Audit Survival Guide
HIPAA Training: Privacy Review and Audit Survival Guide
 
Hi103 week 5 chpt 12
Hi103 week 5 chpt 12Hi103 week 5 chpt 12
Hi103 week 5 chpt 12
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
Ppt
PptPpt
Ppt
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 

Similar to HM480 Ab103318 ch11

HIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesHIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and Guidelines
Conference Panel
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rule
complianceonline123
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
eringold
 

Similar to HM480 Ab103318 ch11 (20)

Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
How good we are in adhering HIPAA rules
How good we are in adhering HIPAA rulesHow good we are in adhering HIPAA rules
How good we are in adhering HIPAA rules
 
Importance of HIPAA Compliance for Small Healthcare Clinics.pptx
Importance of HIPAA Compliance for Small Healthcare Clinics.pptxImportance of HIPAA Compliance for Small Healthcare Clinics.pptx
Importance of HIPAA Compliance for Small Healthcare Clinics.pptx
 
HIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesHIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and Guidelines
 
Is your billing partner hipaa compliant
Is your billing partner hipaa compliantIs your billing partner hipaa compliant
Is your billing partner hipaa compliant
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rule
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An Overview
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
HM480 Ab103318 ch04
HM480 Ab103318 ch04HM480 Ab103318 ch04
HM480 Ab103318 ch04
 
HIPAA Compliance Checklist for Medical Practices
HIPAA Compliance Checklist for Medical PracticesHIPAA Compliance Checklist for Medical Practices
HIPAA Compliance Checklist for Medical Practices
 

More from BealCollegeOnline

More from BealCollegeOnline (20)

BA650 Week 3 Chapter 3 "Why Change? contemporary drivers and pressures
BA650 Week 3 Chapter 3 "Why Change? contemporary drivers and pressuresBA650 Week 3 Chapter 3 "Why Change? contemporary drivers and pressures
BA650 Week 3 Chapter 3 "Why Change? contemporary drivers and pressures
 
BIO420 Chapter 25
BIO420 Chapter 25BIO420 Chapter 25
BIO420 Chapter 25
 
BIO420 Chapter 24
BIO420 Chapter 24BIO420 Chapter 24
BIO420 Chapter 24
 
BIO420 Chapter 23
BIO420 Chapter 23BIO420 Chapter 23
BIO420 Chapter 23
 
BIO420 Chapter 20
BIO420 Chapter 20BIO420 Chapter 20
BIO420 Chapter 20
 
BIO420 Chapter 18
BIO420 Chapter 18BIO420 Chapter 18
BIO420 Chapter 18
 
BIO420 Chapter 17
BIO420 Chapter 17BIO420 Chapter 17
BIO420 Chapter 17
 
BIO420 Chapter 16
BIO420 Chapter 16BIO420 Chapter 16
BIO420 Chapter 16
 
BIO420 Chapter 13
BIO420 Chapter 13BIO420 Chapter 13
BIO420 Chapter 13
 
BIO420 Chapter 12
BIO420 Chapter 12BIO420 Chapter 12
BIO420 Chapter 12
 
BIO420 Chapter 09
BIO420 Chapter 09BIO420 Chapter 09
BIO420 Chapter 09
 
BIO420 Chapter 08
BIO420 Chapter 08BIO420 Chapter 08
BIO420 Chapter 08
 
BIO420 Chapter 06
BIO420 Chapter 06BIO420 Chapter 06
BIO420 Chapter 06
 
BIO420 Chapter 05
BIO420 Chapter 05BIO420 Chapter 05
BIO420 Chapter 05
 
BIO420 Chapter 04
BIO420 Chapter 04BIO420 Chapter 04
BIO420 Chapter 04
 
BIO420 Chapter 03
BIO420 Chapter 03BIO420 Chapter 03
BIO420 Chapter 03
 
BIO420 Chapter 01
BIO420 Chapter 01BIO420 Chapter 01
BIO420 Chapter 01
 
BA350 Katz esb 6e_chap018_ppt
BA350 Katz esb 6e_chap018_pptBA350 Katz esb 6e_chap018_ppt
BA350 Katz esb 6e_chap018_ppt
 
BA350 Katz esb 6e_chap017_ppt
BA350 Katz esb 6e_chap017_pptBA350 Katz esb 6e_chap017_ppt
BA350 Katz esb 6e_chap017_ppt
 
BA350 Katz esb 6e_chap016_ppt
BA350 Katz esb 6e_chap016_pptBA350 Katz esb 6e_chap016_ppt
BA350 Katz esb 6e_chap016_ppt
 

Recently uploaded

Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 

Recently uploaded (20)

Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 

HM480 Ab103318 ch11

  • 1. © 2020 AHIMA ahima.orgahima.org Health Information Management: Concepts, Principles, and Practice Sixth Edition Chapter 11 Data Privacy, Confidentiality, and Security
  • 2. © 2020 AHIMA ahima.org Protecting Patient Information • Privacy • Confidentiality • Security
  • 3. © 2020 AHIMA ahima.org Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Ensures health insurance portability • Establishes standards for electronic claims and national identifiers • Protects against fraud and abuse • Assures the privacy and security of protected health information (PHI)
  • 4. © 2020 AHIMA ahima.org Title II: HIPAA Administrative Simplification • Privacy Rule • Assures individuals’ health information is properly protected while allowing for quality care • Security Rule • Specifies administrative, technical, and physical security procedures for covered entities to assure the confidentiality, integrity, and availability of electronic PHI
  • 5. © 2020 AHIMA ahima.org Title II: HIPAA Administrative Simplification • The HITECH-HIPAA Omnibus Privacy Act • Enacted to promote the adoption and meaningful use of health information technology • Breach Notification Rule • Creates a process for covered entities and business associates to investigate and evaluate if a breach occurred for an unauthorized use or disclosure of PHI
  • 6. © 2020 AHIMA ahima.org Privacy Rule • Uses and disclosures of PHI • Minimum necessary • Business associate agreements • Notice of privacy practices • Patients’ rights • Request privacy protections • Access their health information • Request amendments • Receive an accounting of disclosures • Administrative requirements
  • 7. © 2020 AHIMA ahima.org Privacy Rule Organizations must implement policies and procedures to address each standard and a process to ensure that they are being followed
  • 8. © 2020 AHIMA ahima.org Security Rule • Administrative safeguards • Physical safeguards • Technical safeguards • Organizational safeguards • Required vs. addressable standards
  • 9. © 2020 AHIMA ahima.org Breach Notification Rule • Unauthorized uses and disclosures of PHI at any time may be considered a breach • Requires covered entities and business associates to investigate/evaluate if a breach occurred using specific guidelines/protocols • Risk assessment
  • 10. © 2020 AHIMA ahima.org HITECH-HIPAA Omnibus Privacy Act • Established to address HITECH requirements • Strengthens privacy and security of PHI • Modifies the breach notification rule • Strengthens privacy protections for genetic information • Makes business associates liable for compliance
  • 11. © 2020 AHIMA ahima.org HITECH-HIPAA Omnibus Privacy Act • Strengthens limitations on the use and disclosure of PHI for marketing and fundraising • Allows patients increased restriction rights • Allows for authorization of future research studies with appropriate description of how PHI will be used
  • 12. © 2020 AHIMA ahima.org HIPAA Enforcement • Compliance • Investigations • Penalties for violations • Procedures for hearings • Corrective action plan (CAP) • Civil monetary penalty (CMP) • Reasonable cause • Willful neglect
  • 13. © 2020 AHIMA ahima.org Disclosure Management • Use • Disclosure • Authorization • Designated record set
  • 14. © 2020 AHIMA ahima.org Use and Disclosure with Patient Authorization • A valid authorization for disclosure of information is required for the following: • Disclosure of PHI not permitted to be released without an authorization • Psychotherapy notes • Marketing • Sale of PHI • Compound authorizations
  • 15. © 2020 AHIMA ahima.org Use and Disclosure without Patient Authorization • For the purpose of treatment, payments, or healthcare operations (TPO) • Accounting of disclosures • Deidentification • Expert determination method • Safe harbor method • Reidentification
  • 16. © 2020 AHIMA ahima.org Use and Disclosure Requiring an Opportunity to Object • The Privacy Rule allows the patient to agree or object to disclosure of PHI within the facility directory • Oral acceptance or objection is acceptable • A clear process should be established to assure all patients are given the right to object to PHI being entered in the directory
  • 17. © 2020 AHIMA ahima.org Patient Identity Management for Use and Disclosures of PHI • Verification of requestor identity must be completed prior to disclosing any patient information in any format • Best practice recommends that multiple elements are checked with the patient or patient representation for identity verification
  • 18. © 2020 AHIMA ahima.org Confidentiality of Alcohol and Drug Abuse Patient Records • Must follow Privacy Rule as well as added safeguards due to the sensitive nature of the patient’s care • The Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) • Only allows specific exceptions to the authorization of patient consent • Authorization requires specific components to be valid • Notice of Confidentiality of Alcohol & Drug Abuse Patient Records
  • 19. © 2020 AHIMA ahima.org State Privacy and Security Laws • Compliance with both federal and state privacy and security regulations required • Preemption • State law • Contrary • Stringent
  • 20. © 2020 AHIMA ahima.org Managing an Effective Security Program • The HIPAA Security Rule requires organizations to implement a variety of physical, technical, and administrative safeguards to protect patient data • Privacy and security compliance program • Policies and procedures
  • 21. © 2020 AHIMA ahima.org Assessment of Risk • Risk analysis • Risk management • Implementation of security measures to reduce or eliminate risks • Mitigate the risk • Transfer the risk • Accept the risk • Residual risk • Promoting Interoperability (PI) Program
  • 22. © 2020 AHIMA ahima.org Audit Logs and Monitoring • Security audit • Audit log • Log-in monitoring
  • 23. © 2020 AHIMA ahima.org Contingency Planning • Contingency plan (disaster plan) • Prepares organizations for an event that may happen which could impact the ability to access patient information, the integrity of the information, or the confidentiality of information
  • 24. © 2020 AHIMA ahima.org Contingency Planning (continued) • Data backup plan • Organizations must create and store exact copies of electronic protected health information • Defines how the system is being backed up, the method of backing up the data, location of the backup, frequency of the backup, and testing of the backup
  • 25. © 2020 AHIMA ahima.org Contingency Planning (continued) • Disaster recovery plan • Defines the processes for recovery of data in the event of a disaster • Emergency mode operation plan • Creates processes and procedures to support the continuation of critical business and patient care operations while protecting the security of ePHI in the event of a disaster
  • 26. © 2020 AHIMA ahima.org Contingency Planning (continued) • Emergency access • Procedures for getting access to the necessary ePHI in the event of an emergency situation • Software criticality analysis • Assessing systems to determine how crucial the information in the system is to day-to-day healthcare operations and patient care
  • 27. © 2020 AHIMA ahima.org Data Security Methods • User authentication • Encryption • Data at rest • Data in motion • Decryption • Cryptographic key • Plaintext • Ciphertext
  • 28. © 2020 AHIMA ahima.org Malicious Software Management • Malware • Virus • Worm • Trojan horse • Logic bomb • Rootkit • Ransomware • Phishing
  • 29. © 2020 AHIMA ahima.org Privacy and Security in HIE • Challenges • Patient identity/patient matching • Consumer privacy/patient rights • Best practices • Risk analysis • Policies and procedures • Dedicated individual or team • Education of the workforce • Blockchain
  • 30. © 2020 AHIMA ahima.org Mobile Health Technology • BYOD • Laptop computers • Tablets • Smart phones • USB drives • Wearable technology • External hard drives • Policies and procedures should be established to safeguard mobile technology being used within the organization and to protect ePHI
  • 31. © 2020 AHIMA ahima.org Workforce Training The HIPAA Privacy and Security Rules require formal education and training of the workforce to ensure ongoing accountability for the privacy and security of PHI
  • 32. © 2020 AHIMA ahima.org HIPAA Training Components • New employees • Ongoing training and awareness building • Retraining
  • 33. © 2020 AHIMA ahima.org HIPAA Training Principles and Strategies • Levels of training • Best practices • Documentation