HIPAA• Title I: protects health insurance for workers and their families when they lose or change jobs.• Title II(InfoSec relevant): creates national standards for electronically transferred health care information• Title III: health plan tax adjustments• Title IV: Group Health plans• Title V: Revenue Offsets
Title II – What you should Know• HIPAA Key Terms & General Rules• When you can share patient information and when you cannot• Patient’s Rights regarding their health information
HIPAA Key Terms• Protected Health Information (PHI) – Patient health information created or given to a medical practitioner – Medical information that identifies the patient in any format ie. verbal, written, or electronic – Includes: Names, addresses, dates, phone numbers, email addresses, social security numbers, license numbers, full face photos, etc. • Anything that identifies the patient
HIPAA Key Terms• Covered Entities – Health care practitioner that contains electronic PHI – Ie. Hospitals, family physicians, Blue Cross Blue Shield, Kaiser Permanente – Covered entities and anyone they share their data with are subject to HIPAA
HIPAA Key Terms• TPO• (T)Treatment: activities for patient care• (P)Payment: monetary transaction for healthcare services• (O)Operations: regular activities of a covered entity to perform healthcare functions
HIPAA Key Terms• Business Associate – Third parties who have access to PHI • Ie. security software vendors creating a secure system for the healthcare practitioner – Business Associates must sign agreement acknowledging HIPAA compliance
HIPAA Key Terms• Minimum Necessary Rule – PHI may only be accessed on an as needed basis. – Only access enough PHI to complete the job at hand and no more.
HIPAA Key Terms• Notice of Privacy Practices (NPP): – Description of ways the healthcare practitioner may use PHI without obtaining further patient authorization – Anytime PHI is released for another reason than TPO, further patient authorization is required
HIPAA Key Terms• Use: internal use of PHI within the healthcare office• Disclosure: external distribution of PHI within a larger healthcare system
HIPAA Key Terms• Types of Disclosure 1. No authorization required • Sharing PHI with other doctors for referrals 2. No authorization required but must provide opportunity to object • Discussing PHI with family members in the room – the patient must be allowed option of privacy 3. Authorization required • Disclose PHI for research
HIPAA Key Terms• Incidental Disclosures: – Speaking to a patient in a 2bed hospital room and the second patient overhears the conversation – Visitor’s hear a patients name called in the waiting room – Health practitioners should do their best to avoid these as much as possible and applying the minimum necessary rule
How to Violate HIPAA• http://youtu.be/XyF40FZ0n5I
HIPAA Violations• Covered entities and individuals subject to violation penalties• Up to $1.5 million fine per HIPAA violation per year• Criminal Fines up to $250,000 or up to 10 years in prison• Is HIPAA enforced? – http://www.ama- assn.org/amednews/2012/04/30/bisd0502.htm
HIPAA Scenarios1. If a doctor stores his patients initials and medical notes on his iPhone does the doctor’s iPhone contain PHI?2. As a doctor, are you allowed to email your patients own medical information to their personal email accounts?3. As a nurse, are you allowed to look up one of your patient’s address to mail a get well card?
HIPAA Scenario Answers1. Yes, the iPhone now has PHI and must be treated with the same care as an entire patient medical file.2. No, you are not allowed to send PHI to your patient’s personal email account because you cannot assure that account is secure.3. As a nurse you must abide the minimum necessary rule and sending a card is not necessary.
Ensure HIPAA Compliance• Apply NIST Special Publication 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) – http://csrc.nist.gov/publications/nistpubs/800-66- Rev1/SP-800-66-Revision1.pdf
Assignment• Imagine you’re hired by a dentists office to help transfer their operations from paper file based, to electronic file based. – What sort of network system and security (physical and digital) would you recommend implementing? – Make sure and manage PHI correctly – Diagram the network – Write 1 single spaced page explaining why it works