2. What is HIPAA?
• A federal law
• Established uniform rule for protecting health information
and privacy
• Established civil and criminal penalties for violations of
patient privacy
3. The Privacy Rule was founded on two
very basic principles:
• Health information belongs to the patient
• Patients have a right to know how their information is being used
4. HIPAA Basics
• Covered Entities
• Business Associates
• Protected Health Information
• Use and Disclosure
• Role-based Access
• Minimum Necessary
• Patient Rights
5. Covered Entities
Groups or individuals who comply with the law:
• Health plans
• Health Care Clearinghouses
• Health Care providers who conduct electronic transactions related to third-party billing
6. Business Associates (BA)
• Specific organizations that organizations have a contract or special agreement in place in
order to exchange information.
• Definition expanded to include all entities that create, receive, maintain or transmit PHI
on behalf of a covered entity, such as a BA subcontractor.
• BA may have vicarious liability for subcontractor’s noncompliance.
7. What is PHI?
• Information transmitted or maintained in any form or medium by a Covered Entity or its
Business Associate.
• Information that individually identifies a patient;
• Describes the past, present, or future physical or mental health or condition or payments
of an individual;
• Includes the demographics of an individual.
8. Examples of Demographics
• Name
• Address
• Date of Birth
• Telephone Number
• Social Security Number
• Medical Record Number
• Health Plan Number
• Account Number
• Driver License Number
• Fax Number
• Any other unique identifying characteristic
9. Where is PHI found?
• Patient Medical Records
• Patient Financial Records
• Other items that may contain PHI
-Daily Census
-Patient Lists
- Any Documents/Reports with Patient information or demographics included.
10. HIPAA Privacy versus Security
• Privacy- Grants patient’s rights to control access and disclosures of their PHI
• Security- An organization’s responsibility to control the means by which such information
remains confidential
11. Notice of Privacy Practices
• Informs the patient regarding:
• Release of Information
• Access to Information
• Restrictions to Information
• Amendments to Information
• Accounting Disclosures
• Healthcare Organizations must educate patients and families on the rights and
protections contained within Notice of Privacy Practices.
12. What HIPAA means for patients:
• Increased Control
-Use of Information
-Disclosure of Information
• Increased Understanding
• Use of Information
• Who has Access
• Increased Protection of Their Rights
13. Breach
• Impermissible use or disclosure under Privacy Rule that compromises the security or
privacy of the protected health information such that the use or disclosure poses a
significant risk of financial, reputational or other harm to the affected individual.
• Simple term protected Health Information available to those who have no authority to
view it, and who may use that information inappropriately.
14. Consequences of violations...
• Penalties at work
-Warnings, suspension, termination
• Civil Penalties
• 4 Tiers based on culpability;
$100- 50,000 (Identical violations in calendar year, 1,500,000)
• Criminal Penalties
-Up to 10 years in prison
-Fines as high as 250,000.00
15. Avoiding Breach Notification
• Never write down your username and passwords and especially do not attach them to
your laptops.
• Always lock down or shut down your computer when it is unattended
• Do not give your passwords out to anyone
• Be sure your printouts with PHI are secured
• Never text PHI using cell phones or smartphones
• Never access a patient record that you are not authorized to provided treatment for
