3. This act is meant to protect patients, reduce fraud, improve quality of
health care, and set strict standards for how private information about
patients is transmitted (the widespread use of electronic data transmissions
made things faster but is considered risky; HIPAA, 1996).
4. Some Acronyms you will need to know.
PHI - stands for Protected Health Information.
PHI may be shared among health care providers and
payors Covered Entities for purposes of treatment,
payment and operations (TPO) without asking patients
for permission. Any other use or disclosure of PHI
requires patient consent. Every CE is required to give
patients a Notice of Privacy Practices (NPP)
TPO - stands for Treatment, Payment and Operations.
5. CE – Covered Entities
BA – Business Associates are held to the
same strict standards as Covered
Entities
Business Associates are contractors that
store and touch PHI — including
document storage companies and other
contractors that “maintain” PHI, even
if they do not actually view the
information in their possession.
6. The Final Rule
September 23, 2013 – Hospitals and physicians must comply with
the HIPAA Omnibus Final Rule
The Next 7 Points were taken from the article titled:
15 Things to Know About the HIPAA Omnibus Final Rule before Sept. 23
1. The final rule expands patient rights by allowing them to ask for a
copy of their electronic medical record in electronic form.
2. Under the final rule, when patients pay out of pocket in full, they can
instruct their provider to refrain from sharing information about their
treatment with their health plan.
3. If a Medicare beneficiary requests a restriction on the disclosure of
PHI to Medicare for a covered service and pays out of pocket for the
service, the provider must also restrict the disclosure of PHI regarding
the service to Medicare.
7. 4. The final rule sets new limits on how information can be used and
disclosed for marketing and fundraising purposes, and it prohibits the sale of
an individuals' health information without their permission.
5. Penalties for noncompliance with the final rule are based on the level of
negligence with a maximum penalty of $1.5 million per violation.
6. The breach notification final rule was amended with a requirement to
determine the breach's "risk of compromise" rather than harm. "Compromise"
was considered a more objective test than harm. Thus, breach notification is
necessary in all situations except those in which the covered entity or
business associate demonstrates a low probability that the PHI has been
compromised.
7. To determine whether there is a low probability that PHI has been
compromised, the covered entity or business associate must conduct a risk
assessment that considers at least each of the following factors:
• The nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification. • The unauthorized person
who used the PHI or to whom the disclosure was made. • Whether the PHI
was actually acquired or viewed. • The extent to which the risk to the PHI
has been mitigated.
8. Do list for HIPAA
Treat patients’ personal information as you would like your
own information to be treated: Keep it secure and respect
their right to privacy.
Use passwords that are not obvious (password is not a
password; neither is 12345), keep them in a secure place that
is also password protected, and change them regularly.
If you need to be in patient areas, be discreet. If you work in
a surgery center, wear the uniform so that patients are not
uncomfortable with a stranger in street clothes.
Keep your voice down when discussing patient finances, both
in person and over the phone.
Be professional at all times.
Taken from Do’s and Don’ts of HIPPA Compliance for a
Medical Biller/Coder
9. All health care employees must be trained when hired
Training for HIPAA is done annually
Employees will be trained with a HIPAA video
10. Ways to Protect The Patient’s Privacy
Utilize the minimum necessary standard with
protected health information.
Do not talk about a patient’s information in a
public discussion.
Do not leave a patient’s health record open on the
computer.
11. References
Gamble, M. (2013, August 13). 15 things to know about the HIPAA omnibus final
rule before Sept. 23. Retrieved from
http://www.beckershospitalreview.com/legal-regulatory-issues/15-things-to-
know-about-the-hipaa-omnibus-final-rule-before-sept-23.html
Smiley, K. (N.D.). The do’s and don’ts of HIPAA compliance for a medical
biller/coder. Retrieved from http://www.beckershospitalreview.com/legal-
regulatory-issues/15-things-to-know-about-the-hipaa-omnibus-final-rule-before-
sept-23.html
