HIPAA
THE LAW
What is HIPAA?
HIPAA is the acronym for the Health Insurance
Portability and Accountability Act of 1996. HIPAA is a
federa...
What was Title I of HIPAA designed to
protect?
HIPAA Health Insurance Reform
Title I of HIPAA was designed to protect heal...
What does Title II of HIPAA
provide?
HIPAA Administrative Simplification
Title II of HIPAA provides for standards when sen...
What is HITECH?
HITECH definition: The Health Information Technology for
Economic and Clinical Health (HITECH) Act, enacte...
HITECH – “Enhanced” Privacy and Security
Before HITECH:
1. From $100 per incident up to $25,000/yr
2. And “Complaint Drive...
HITECH – “Enhanced” Privacy and Security
After HITECH:
1. For “Willful Neglect”, from $50,000 per incident up to
$1.5 mill...
Big Challenges from HITECH
•HIPAA extended to business associates.
•Accounting for disclosures required.
•Notifications of...
New in HITECH “Unprotected PHI”
Breach of “Unprotected PHI” requires notification of
Secretary of HHS and others HHS has d...
Data Breach Notification
Requires a “Risk Analysis” to determine if a disclosure is an
actionable breach.
•Criteria includ...
Aspects of HIPAA
Privacy Standards
• Finalized August 2002
• Enforcement April 14, 2003
Security Standards
• Finalized Feb...
Patient Rights
• Receive a privacy notice

The privacy notice describes how medical information about you may
be used and ...
More patient rights…
• Receive an accounting for disclosure and access report

Patients have the right to receive a list o...
What are the penalties under
HIPAA?
There are severe civil and criminal penalties for
noncompliance that range from fines ...
Under the HIPAA Security Rule,
UTHSC must:
Ensure the confidentiality, integrity, and availability of all
electronic prote...
How do I report a Security Privacy
Violation?
How can I contact the
HIPAA Privacy Officer or Security
Officer?
Will anything happen to a person who
files a complaint?
There will be no retaliation for filing a complaint.

It is agains...
Is there anonymity provided for
complainants?
Your concern might not be addressed unless you provide sufficient informatio...
HIPAA Part I  the Law Test
Upcoming SlideShare
Loading in …5
×

HIPAA Part I the Law Test

347 views

Published on

HIPAA Part I the Law Test

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
347
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

HIPAA Part I the Law Test

  1. 1. HIPAA THE LAW
  2. 2. What is HIPAA? HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA is a federal law that requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health information.
  3. 3. What was Title I of HIPAA designed to protect? HIPAA Health Insurance Reform Title I of HIPAA was designed to protect health insurance coverage for workers (with pre-existing conditions) and their families when they change or lose their jobs.
  4. 4. What does Title II of HIPAA provide? HIPAA Administrative Simplification Title II of HIPAA provides for standards when sending electronic claims. This reduces the administrative burden on hospitals and physicians by not having to keep up with different requirements and standards for different insurance companies. As we move more toward sharing patient billing information electronically, we need to be sure that procedures are in place to ensure the security of systems and protect patient privacy.
  5. 5. What is HITECH? HITECH definition: The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil
  6. 6. HITECH – “Enhanced” Privacy and Security Before HITECH: 1. From $100 per incident up to $25,000/yr 2. And “Complaint Driven”
  7. 7. HITECH – “Enhanced” Privacy and Security After HITECH: 1. For “Willful Neglect”, from $50,000 per incident up to $1.5 million/yr and criminal penalties 2. And enforcement through state Attorneys General 3. And HHS hired “Big Five” CPA firms for compliance audits
  8. 8. Big Challenges from HITECH •HIPAA extended to business associates. •Accounting for disclosures required. •Notifications of data breaches of unprotected PHI required.
  9. 9. New in HITECH “Unprotected PHI” Breach of “Unprotected PHI” requires notification of Secretary of HHS and others HHS has determined that protection for PHI is provided by: •Secure destruction or •Encryption (HITECH defined encryption for the first time) •Provides “safe harbor” •Must be certified by NIST
  10. 10. Data Breach Notification Requires a “Risk Analysis” to determine if a disclosure is an actionable breach. •Criteria include an estimate of damage in financial and reputational dimensions. •Consider persistence of disclosure •Safe harbor for ePHI provided by encryption and/or secure destruction. All data breaches reported to Secretary, U.S. Dept. of Health and Human Services.
  11. 11. Aspects of HIPAA Privacy Standards • Finalized August 2002 • Enforcement April 14, 2003 Security Standards • Finalized February 20, 2003 • Enforcement April 21, 2005 Transactions and Code Set Standards • Enforcement October 16, 2003 HITECH • Enforcement February 10, 2010 for Business Associates, Penalties and Audit (other regulations pending)
  12. 12. Patient Rights • Receive a privacy notice The privacy notice describes how medical information about you may be used and disclosed and how you can get access to this information. • Access protected health information Patients have the right to access their PHI contained in their medical and billing records. They can review it and obtain a copy of it but not the original record. • Request an amendment to their health information Patients have a right to request an amendment to their medical record. As a provider we do not have to amend the record. We must have a process in place to accept the amendment request, accept or deny the amendment request and communicate with the patient about the amendment request.
  13. 13. More patient rights… • Receive an accounting for disclosure and access report Patients have the right to receive a list of anyone who has obtained access to their medical record and billing information with certain exclusions. As a provider, we are required to maintain a written log that documents where information is disclosed on each patient. The most common example of disclosed information is data reported to the Health Department. • Request we contact them by alternative means Patients have the right to ask that we do not leave messages on their answering machine or that we do not call them at their work number. • File a complaint Patients have the right to file a complaint with the UT Health Science Center and with the Secretary of DHHS. We are required to have a complaint process in place. The same process that is used for the Medicare compliance complaints will be used for HIPAA complaints. To file a complaint, use the complaint form
  14. 14. What are the penalties under HIPAA? There are severe civil and criminal penalties for noncompliance that range from fines to prison sentences. It should be noted that HIPAA is the only federal regulation that carries with it personal liability to individuals who violate the Act.
  15. 15. Under the HIPAA Security Rule, UTHSC must: Ensure the confidentiality, integrity, and availability of all electronic protected health information that UTHSC creates, receives, maintains, or transmits. 2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy rule. 4) Ensure compliance with HIPAA by its workforce. 1)
  16. 16. How do I report a Security Privacy Violation?
  17. 17. How can I contact the HIPAA Privacy Officer or Security Officer?
  18. 18. Will anything happen to a person who files a complaint? There will be no retaliation for filing a complaint. It is against the law to cause problems for anyone who does file a complaint. Reported items will be investigated, and appropriate action will be taken. There will be no repercussions taken against an employee who reports an issue. You are encouraged to share information you believe is relevant for federal regulation compliance. You are not required to identify yourself. Confidentiality regarding the issues you raise will be provided.
  19. 19. Is there anonymity provided for complainants? Your concern might not be addressed unless you provide sufficient information about the facts of the situation. Telephone calls are not recorded, and no effort is made to determine the number or location from which you call. Please provide as much information as possible. When possible, please provide names of individuals who should be contacted during our investigation. If you would like information of the progress of the investigation, you will need to provide your name and telephone number.

×