More Related Content
Similar to HM480 Ab103318 ch11 (20)
More from BealCollegeOnline (20)
HM480 Ab103318 ch11
- 3. © 2020 AHIMA
ahima.org
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
• Ensures health insurance portability
• Establishes standards for electronic claims and
national identifiers
• Protects against fraud and abuse
• Assures the privacy and security of protected
health information (PHI)
- 4. © 2020 AHIMA
ahima.org
Title II: HIPAA Administrative Simplification
• Privacy Rule
• Assures individuals’ health information is properly
protected while allowing for quality care
• Security Rule
• Specifies administrative, technical, and physical security
procedures for covered entities to assure the
confidentiality, integrity, and availability of electronic
PHI
- 5. © 2020 AHIMA
ahima.org
Title II: HIPAA Administrative Simplification
• The HITECH-HIPAA Omnibus Privacy Act
• Enacted to promote the adoption and meaningful use of
health information technology
• Breach Notification Rule
• Creates a process for covered entities and business
associates to investigate and evaluate if a breach
occurred for an unauthorized use or disclosure of PHI
- 6. © 2020 AHIMA
ahima.org
Privacy Rule
• Uses and disclosures of PHI
• Minimum necessary
• Business associate agreements
• Notice of privacy practices
• Patients’ rights
• Request privacy protections
• Access their health information
• Request amendments
• Receive an accounting of disclosures
• Administrative requirements
- 7. © 2020 AHIMA
ahima.org
Privacy Rule
Organizations must implement policies and
procedures to address each standard and a process
to ensure that they are being followed
- 8. © 2020 AHIMA
ahima.org
Security Rule
• Administrative safeguards
• Physical safeguards
• Technical safeguards
• Organizational safeguards
• Required vs. addressable standards
- 9. © 2020 AHIMA
ahima.org
Breach Notification Rule
• Unauthorized uses and disclosures of PHI at any
time may be considered a breach
• Requires covered entities and business associates
to investigate/evaluate if a breach occurred using
specific guidelines/protocols
• Risk assessment
- 10. © 2020 AHIMA
ahima.org
HITECH-HIPAA Omnibus Privacy Act
• Established to address HITECH requirements
• Strengthens privacy and security of PHI
• Modifies the breach notification rule
• Strengthens privacy protections for genetic
information
• Makes business associates liable for compliance
- 11. © 2020 AHIMA
ahima.org
HITECH-HIPAA Omnibus Privacy Act
• Strengthens limitations on the use and disclosure
of PHI for marketing and fundraising
• Allows patients increased restriction rights
• Allows for authorization of future research studies
with appropriate description of how PHI will be
used
- 12. © 2020 AHIMA
ahima.org
HIPAA Enforcement
• Compliance
• Investigations
• Penalties for violations
• Procedures for hearings
• Corrective action plan (CAP)
• Civil monetary penalty (CMP)
• Reasonable cause
• Willful neglect
- 14. © 2020 AHIMA
ahima.org
Use and Disclosure with Patient
Authorization
• A valid authorization for disclosure of information is
required for the following:
• Disclosure of PHI not permitted to be released without
an authorization
• Psychotherapy notes
• Marketing
• Sale of PHI
• Compound authorizations
- 15. © 2020 AHIMA
ahima.org
Use and Disclosure without Patient
Authorization
• For the purpose of treatment, payments, or
healthcare operations (TPO)
• Accounting of disclosures
• Deidentification
• Expert determination method
• Safe harbor method
• Reidentification
- 16. © 2020 AHIMA
ahima.org
Use and Disclosure Requiring an
Opportunity to Object
• The Privacy Rule allows the patient to agree or
object to disclosure of PHI within the facility
directory
• Oral acceptance or objection is acceptable
• A clear process should be established to assure all
patients are given the right to object to PHI being
entered in the directory
- 17. © 2020 AHIMA
ahima.org
Patient Identity Management for Use and
Disclosures of PHI
• Verification of requestor identity must be
completed prior to disclosing any patient
information in any format
• Best practice recommends that multiple elements
are checked with the patient or patient
representation for identity verification
- 18. © 2020 AHIMA
ahima.org
Confidentiality of Alcohol and Drug Abuse
Patient Records
• Must follow Privacy Rule as well as added safeguards
due to the sensitive nature of the patient’s care
• The Confidentiality of Substance Use Disorder Patient
Records (42 CFR Part 2)
• Only allows specific exceptions to the authorization of
patient consent
• Authorization requires specific components to be valid
• Notice of Confidentiality of Alcohol & Drug Abuse Patient
Records
- 19. © 2020 AHIMA
ahima.org
State Privacy and Security Laws
• Compliance with both federal and state privacy and
security regulations required
• Preemption
• State law
• Contrary
• Stringent
- 20. © 2020 AHIMA
ahima.org
Managing an Effective Security Program
• The HIPAA Security Rule requires organizations to
implement a variety of physical, technical, and
administrative safeguards to protect patient data
• Privacy and security compliance program
• Policies and procedures
- 21. © 2020 AHIMA
ahima.org
Assessment of Risk
• Risk analysis
• Risk management
• Implementation of security measures to reduce or
eliminate risks
• Mitigate the risk
• Transfer the risk
• Accept the risk
• Residual risk
• Promoting Interoperability (PI) Program
- 23. © 2020 AHIMA
ahima.org
Contingency Planning
• Contingency plan (disaster plan)
• Prepares organizations for an event that may happen which
could impact the ability to access patient information, the
integrity of the information, or the confidentiality of
information
- 24. © 2020 AHIMA
ahima.org
Contingency Planning (continued)
• Data backup plan
• Organizations must create and store exact copies of
electronic protected health information
• Defines how the system is being backed up, the method
of backing up the data, location of the backup,
frequency of the backup, and testing of the backup
- 25. © 2020 AHIMA
ahima.org
Contingency Planning (continued)
• Disaster recovery plan
• Defines the processes for recovery of data in the event
of a disaster
• Emergency mode operation plan
• Creates processes and procedures to support the
continuation of critical business and patient care
operations while protecting the security of ePHI in the
event of a disaster
- 26. © 2020 AHIMA
ahima.org
Contingency Planning (continued)
• Emergency access
• Procedures for getting access to the necessary ePHI in
the event of an emergency situation
• Software criticality analysis
• Assessing systems to determine how crucial the
information in the system is to day-to-day healthcare
operations and patient care
- 27. © 2020 AHIMA
ahima.org
Data Security Methods
• User authentication
• Encryption
• Data at rest
• Data in motion
• Decryption
• Cryptographic key
• Plaintext
• Ciphertext
- 29. © 2020 AHIMA
ahima.org
Privacy and Security in HIE
• Challenges
• Patient identity/patient matching
• Consumer privacy/patient rights
• Best practices
• Risk analysis
• Policies and procedures
• Dedicated individual or team
• Education of the workforce
• Blockchain
- 30. © 2020 AHIMA
ahima.org
Mobile Health Technology
• BYOD
• Laptop computers
• Tablets
• Smart phones
• USB drives
• Wearable technology
• External hard drives
• Policies and procedures should be established to
safeguard mobile technology being used within the
organization and to protect ePHI
- 31. © 2020 AHIMA
ahima.org
Workforce Training
The HIPAA Privacy and Security Rules require formal
education and training of the workforce to ensure
ongoing accountability for the privacy and security of
PHI