2. BACKGROUND
• The Health Insurance Portability and Accountability Act is a Federal law that
was enacted on August 21, 1996
• It is Public Law 104-191
• It was developed by the Department of Health and Human Services
• Sections 261 through 264 of this law requires the Secretary of Health and
Human Services to publicize standards for the electronic exchange, privacy,
and security of health information
3. What is HIPAA?
• It is a Federal law which set up standards that protect
patients medical information.
• It states that patients have the right to their own personal
health records.
• It states that health information cannot be used or
released without the patient’s authorization
4. More about HIPAA
• It limits the use of personal health information to the
minimum for only the purpose it is needed
• It imposes administrative requirements that include a
designated privacy officer at medical facilities
• The privacy officer will conduct HIPAA training and
document and implement policies and procedures that will
make sure HIPAA guidelines are being followed
5. PRIVACY
• The Privacy Act of 1974 was established to safeguard an individual’s privacy from
possible misuse of federal records and to allow individuals access to records that
federal agencies maintain about them.
• The Privacy Protection and Safety Commission was established to monitor these
rights.
• Under the United States Constitution each citizen has a right to privacy and to have
their personal information protected.
• It also protects citizens from invasion of personal privacy.
6. PRIVACY GUIDELINES
• Authorization: Before any health information can be released the patient must sign the
“release of information form”. This pertains to the patient requesting their medical
records and also requests from other entities, a form must be signed by the patient.
• Minimum Necessary: When the completed release of information has been signed by a
patient, only release the minimum records necessary for the request, not the complete
medical record.
• Confidentiality: Under no circumstance should a patient’s medical information be shared
outside the office.
• Protect Access: Safeguard your work area so unauthorized access to patient’s records is
avoided.
7. Confidentiality
• Confidentiality refers to the expectation that information that a patient shares with their
medical provider will only be used for their care and only for that purpose
• A physician may not disclose any medical information about a patient without the
patient’s permission
• All employees in a healthcare setting must also maintain the confidentiality of all
patients records and reports.
• Identification needs to be verified before releasing patient information.
• To disclose any information about a patient beyond its intended purpose without
the patient’s knowledge and consent is a violation of confidentiality.
8. SECURITY
• The Health Insurance Portability and Accountability Act- HIPAA Omnibus Rule was enacted on
January 25, 2013
• The Omnibus Rule broadens the application of HIPAA privacy and security requirements to include
both covered entities as well as business associates.
• All medical facilities need to implement a security awareness and training program for all employees
• Some requirements of this program are:
Security Reminders
Protection from malicious software
Log in monitoring
Password management
9. SECURITY MEASURES
• Always lock your computer when you leave your work area
• Do not leave a patient’s medical records unsupervised where they can be accessed by an
unauthorized person
• Do not open e-mail from suspicious sources to avoid malicious malware from accessing the
computer systems
• Always wear your employee badge when at work
• Choose a strong password for your computer sign-on
• When e-mailing personal medical information use encryption
• If there are any questions please contact your office manager
10. E-MAIL GUIDELINES
The following guidelines need to be followed when using e-mail at the medical facility:
• When a patient e-mails our provider, you will need to educate the patient on the risks of using
non-encrypted e-mail
• If the patient requests to have reminders e-mailed, they need to be made aware of the risks
• Document if the patient gives their approval to send e-mails for communication or reminders
• Use the EHR with a patient portal function which is more secure
• Use the secure HIPAA compliant e-mail application
• Manually encrypt transmitted files
11. BREACH OF INFORMATION
If there has been a breach of security of unprotected health information, the Secretary of Health and
Human Services will be notified.
• If the breach involves more than 500 people the Secretary must be notified within 60 days.
• If the breach involves less than 500 people the Secretary must be notified within 60 days of the end
of this calendar year. A notice will be submitted electronically.
• A breach could involve a mailing sent out that had personal information that is visible.
• Patient personal information like social security, phone number, account numbers, and insurance
numbers, etc. should be protected.
If you discover a breach of patient information, notify your office manager who will notify the privacy
officer so the breach can be verified and handled.
13. SUMMARY
Following HIPAA guidelines is extremely important in a medical facility. Failure to do so could lead to large
fines. If you are not sure about something, it is a good idea to ask your office manager or the privacy officer.
Remember that the patient’s information is private and they control who see’s it. Remember that any
information you handle at our facility should not be discussed when you leave the office. We strive to have our
patient’s accounts be accurate and secure. In order to do this, everyone has to work together. Use all safety
precautions in your work area and throughout our facility. Your job is very important.
Welcome to our team