This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
2. COURSE OUTLINE
W H A T W E ' R E C O V E R I N G
We will cover the progression of HIPAA from origin
until the present. This presentation will include
COVID19 updates. Next, we will focus on The HIPAA
Privacy and Security Rules.
3. DISCLAIMER
This Guide is not intended to serve as legal advice or as recommendations based on a provider or
professional’s specific circumstances. We encourage providers and professionals to seek expert
advice when evaluating the use of this Guide.
D A M I A N K N O W L E S
4. A B R I E F H I S T O R Y
WHAT IS HIPAA?
HIPAA is an acronym for “The Health Insurance
Portability and Accountability Act.” This Act covers
Privacy, Security, and Breach Notification Rules which
protect a patient’s health information. It protects the civil
rights of their health information.
D A M I A N K N O W L E S
5. A B R I E F H I S T O R Y
WHEN WAS HIPAA
STARTED?
HIPAA came into existence on August 21st,
1996 and it was signed into law by President
Bill Clinton.
D A M I A N K N O W L E S
6. A B R I E F H I S T O R Y
WHAT IS THE INTENT
OF HIPAA?
HIPAA is meant to improve the level of responsibility
and portability of the health insurance for employees
between their jobs. Another objective was to curb
corruption by health insurance and the health care
industry as a whole. HIPAA administered guidelines for
the healthcare industry to protect the patient’s medical
health records.
As technology advanced, the Act by means of the Health
Information Technology for Economic and Clinical
Health Act (HITECH) in 2009, provided a financial
incentive for healthcare providers to migrate to
electronic health record maintenance.
Meanwhile, Congress recognized that advances in
electronic technology could negatively impact the
privacy of health information. Consequently, Congress
incorporated provisions that required the adoption of
Federal privacy protections for individually identifiable
health information.
D A M I A N K N O W L E S
7. A B R I E F H I S T O R Y
WHO MUST COMPLY
WITH HIPAA?
Covered entities and business associates, as
applicable, must follow HIPAA rules. If an
entity does not meet the definition of a covered
entity or business associate, it does not have
to comply with the HIPAA rules
D A M I A N K N O W L E S
8. COMMONLY USED
TERMS
Implementation Specification
An implementation specification is a more detailed
description of the method or approach primary care
organizations can use to meet a particular requirement
Addressable
Addressable means that there is flexibility in how the
implementation is made not if it is made. It means you
must address the specification in some way or address
the standard itself in some way by at least assessing
the risk.
Required
“Required” rules simply mean that you implement
them, or you automatically fail to comply with the
Security Rule.
9. BUSINESS ASSOCIATES
A business associate is a person or organization,
other than a workforce member of a covered entity,
that performs certain functions on behalf of or
provides certain services to, a covered entity that
involves access to PHI.
WHAT IS A COVERED ENTITY?
Presentations are communication tools
that can be used as demonstrations,
lectures, speeches, reports, and more.
10. • H E A L T H C A R E P R O V I D E R S ,
• H O S P I T A L S ,
• N U R S I N G H O M E S , A N D
• P H A R M A C I E S .
• H E A L T H P L A N S
• H E A L T H C A R E
C L E A R I N G H O U S E S
Examples of
Covered Entities
A N Y S U B C O N T R A C T O R O F A C O V E R E D
E N T I T Y W I T H A C C E S S T O P R O T E C T E D
H E A L T H I N F O R M A T I O N :
• E - P R E S C R I B E R G A T E W A Y S ,
• T R A N S C R I P T I O N I S T S
• L A W Y E R S
Examples of Business
Associates
11. 3 MUST KNOW HIPAA RULES
The Breach Notification Rule, requires
covered entities to notify affected individuals;
U.S. Department of Health & Human Services
(HHS); and, in some cases, the media of a
breach of unsecured PHI.
The Breach Notification Rule
The Security Rule specifies safeguards that covered entities
and their business associates must implement to protect the
confidentiality, integrity, and availability of electronically
protected health information (ePHI)
The Security Rule
The Privacy Rule, sets national
standards for when protected
health information (PHI) may be
used and disclosed
The Privacy Rule
12. H I P A A B A S I C S
WHAT TYPES OF
INFORMATION
DOES HIPAA
PROTECT?
The Privacy Rule protects most individually
identifiable health information held or transmitted by a
CE or its BA, in any form or media, whether electronic,
paper or oral. The Privacy Rule calls this information
“protected health information” or “PHI.”
13. C O M M O N L Y U S E D T E R M S
WHAT IS
PROTECTED
HEALTH
INFORMATION?
Protected Health Information (PHI) is defined as any
individually identifiable health information collected
or created as a consequence of the provision of
health care by a covered entity, in any form,
including verbal communications.PHI is information
that can be linked to a particular person and that is
created, used, or disclosed while providing a health
care service (i.e., diagnosis or treatment)
14. H I P A A B A S I C S
WHO IS
RESPONSIBLE
FOR
ENFORCEMENT?
The HHS Office for Civil Rights Health and Human
Services, Office for Civil Rights, handles the
enforcement of the HIPAA Privacy and Security
Rules.
15. A laptop with 1,391 individuals’ ePHI was
stolen.
$2.5M
The investigation revealed insufficient risk analysis
and risk management processes in place at the time
of the theft.
16. F I N E S A R E B A S E D O N I N T E N T
PENALTIES FOR
VIOLATIONS
• Did Not Know or Could Not Have Known
• Reasonable Cause and Not Willful Neglect
• Willful Neglect, but Corrected Within 30 Days
• Willful Neglect and Not Corrected Within 30
Days
0
K
25,000
K
50,000
K
75,000
K
100,000
K
125,000
K
Wilful 30+
Wilful 30
Reasonable
Didn't Know
17. HIPAA BASICS
THE HIPAA PRIVACY RULE
H I P A A P R I V A C Y R U L E L I M I T S U S E S A N D D I S C L O S U R E S O F P A T I E N T
I N F O R M A T I O N
18. Yes, a CE must prominently post and distribute an NPP. The notice
must describe the ways in which the CE may use and disclose PHI.
The notice must state the CE’s duties to protect privacy, provide an
NPP, and abide by the terms of the current notice.
DO I NEED TO INFORM MY PATIENTS
ABOUT HOW I USE OR DISCLOSE THEIR
HEALTH INFORMATION?
19. NPPs must include the following information:
• How the CE may use and disclose an individual’s PHI
• The individual’s rights with respect to the information
• A statement that the CE is required by law to display the privacy policies
and how the individual may exercise these rights,
• How the individual may complain to the CE
• The CE’s legal duties with respect to the information, maintain the
privacy of PHI
• Whom individuals can contact for further information
NOTICE OF PRIVACY PRACTICES
20. • A CE may disclose PHI when:
• Treating a Patient,
• Managing Payment Activities,
• Both CE's have a relationship with the patient,
• Quality assessments Assessment Reviews, or
• Fraud and abuse detection or compliance.
DO I HAVE TO GET MY PATIENTS’
PERMISSION TO DISCLOSE THEIR PHI WITH
ANOTHER CE?
21. You may disclose, without a patient’s authorization, PHI about the patient as
necessary for treatment, payment, and health care operations purposes.
WHEN ARE PATIENT AUTHORIZATIONS NOT
REQUIRED FOR DISCLOSURE?
22. Yes. To make disclosures to family and friends involved in the
individual’s care or for notification purposes, or to other persons whom
the individual identifies, you must obtain informal permission by asking
the individual outright, or by determining that the individual did not
object in circumstances that clearly gave the individual the opportunity
to agree, acquiesce, or object.
DO I NEED PERMISSION FOR DISCLOSURES TO
FAMILY, FRIENDS, AND OTHERS INVOLVED IN
THE CARE OF THE INDIVIDUAL AS WELL AS FOR
NOTIFICATION PURPOSES?
23. You may disclose PHI without individual authorization in the following
situations:
• To send immunization records to schools,
• To a public health authority that is authorized by law
• To a foreign government agency
• To persons at risk of contracting or spreading a disease
DO I NEED PERMISSION FOR DISCLOSURES
INFORMATION IF NEEDED TO ENSURE PUBLIC
HEALTH AND SAFETY ?
24. WHEN ARE PATIENT AUTHORIZATIONS
REQUIRED FOR DISCLOSURE?
Psychotherapy
Notes
Marketing
Activities
PHI Sales
and Licensing
Research
25. WHAT IS DE-IDENTIFIED PHI?
D E - I D E N T I F I E D H E A L T H I N F O R M A T I O N
N E I T H E R I D E N T I F I E S N O R P R O V I D E S A
R E A S O N A B L E B A S I S T O I D E N T I F Y A N
I N D I V I D U A L .
26. WHAT ABOUT PATIENT
INFORMATION PERTAINING TO
BEHAVIORAL HEALTH OR
SUBSTANCE ABUSE?
T H E H I P A A R U L E S A P P L Y E Q U A L L Y T O
A L L P H I , I N C L U D I N G I N D I V I D U A L L Y
I D E N T I F I A B L E B E H A V I O R A L H E A L T H O R
S U B S T A N C E A B U S E I N F O R M A T I O N T H A T
Y O U R P R A C T I C E C O L L E C T S O R
M A I N T A I N S I N A P A T I E N T S ’ R E C O R D .
27. FEDERAL AND STATE PRIVACY
LAWS — WHICH PREVAIL?
T H E H I P A A R U L E S D O N O T O V E R R I D E
S U C H S T A T E L A W S T H A T D O N O T
C O N F L I C T W I T H T H E R U L E S A N D O F F E R
G R E A T E R P R I V A C Y P R O T E C T I O N S
28. The HIPAA Security Rule
These Security Rule safeguards can help health care providers
avoid some of the common security gaps that could lead to
cyber-attack intrusions and data loss.
29. Administrative
safeguards are
administrative actions,
policies, and procedures
to prevent, detect,
contain, and correct
security violations.
Administrative
SECURITY RULE SAFEGUARDS
These safeguards are
physical measures,
policies, and
procedures to protect
electronic information
systems and
equipment from
natural and
environmental
hazards and
unauthorized
intrusion.
Physical
These standards require
a CE to have contracts
or other arrangements
with BAs that will have
access to the CE’s
ePHI.
Organizational
These standards
require a CE to adopt
reasonable and
appropriate policies
and procedures to
comply with the
provisions of the
Security Rule
Policies
30. The HIPAA Breach Notification Rule
A breach is, generally, an impermissible use or disclosure
under the Privacy Rule that compromises the security or
privacy of PHI.
31. RISK ASSESSMENT
PROCESS FOR
BREACHES
When you suspect a breach of unsecured PHI has
occurred, first conduct a risk assessment in order to
examine the likelihood that the PHI has been
compromised.
32. REPORTING BREACHES
If after performing the risk assessment, you determine that
breach notification is required, there are three types of
notification to be made. To individuals, to the Secretary of
HHS, and, in some cases, to the media.
33. OTHER LAWS
AND
REQUIREMENTS
Sensitive Health Information
Some laws recognize that particular health conditions may put
individuals at a higher risk for discrimination or harm based on that
condition. Some state laws require special treatment and handling of
information relating to alcohol and drug abuse, genetics, domestic
violence, mental health, and HIV/AIDS
Adolescent/Minors’ Information
State and federal laws generally authorize a parent or guardian
access. Depending on age and health condition (e.g., reproductive
health, child abuse, mental health minors also have privacy
protections related to their ability to consent for certain services
under federal or state law.
Private Sector
A contracting health plan or payer may require additional
confidentiality or safeguards
34. HealthIT.Gov
Guide to Privacy and Security
The HIPAA Security Rule
Summary of the Security Rule
The HIPAA Privacy Rule
Summary of the Privacy Rule
REFERENCES