The document discusses the Health Insurance Portability and Accountability Act (HIPAA) and its requirements around privacy and security of patient health information. HIPAA established rules around privacy, security, transactions, and enforcement to protect patient information. It defines protected health information, privacy standards, and security standards. Breaches can occur through vulnerabilities in hardware/software or policies. Risk assessment is important to identify threats and risks. Administrative, physical and technical safeguards help ensure privacy and security of electronic health information as required by HIPAA.
2. Introduction
The Health Insurance Portability and Accountability Act (HIPPA) of
1996 addressed concerns of consumers regarding, 1) availability of
insurance coverage when switching jobs and 2) privacy of health
information with the increased usage of electronic health
communications and transactions (104th
Congress, 1996).
As mandated in the HIPAA, the US Department of Health and Human
Services developed rules regarding health transactions. These rules
include privacy, security, transaction and code sets, national provider
identifiers, and enforcement (HIPAA administrative, n.d.).
Privacy
Security
Confidentialit
y
COMPLIANCE
3. Definitions
Confidentiality: the sharing of private information within an established
relationship that includes the ethical principle that information will not be
disclosed unless consent is given (Hebda & Czar, 2013).
Privacy Rule: developed to protect an individual’s right to know who has
access to or may use or disclose their personal health information (PHI) (Hebda
& Czar, 2013).
Security Rule: addresses electronic PHI and lays out administrative, physical,
and technical safeguards to protect electronic information. (U.S Department of
Health, Health information, n.d.).
Transaction and Code Set Rule: addresses the standardization of electronic
health care transactions used by covered entities (U.S. Department of Health,
Other administrative, n.d.).
Electronic Data Interchange (EDI) codes
International Classification of Disease (ICD) codes
4. Health Information Technology for Economic
and Clinical Health Act
The Health Information Technology for Economic and Clinical Health
Act (HITECH) is a part of the 2009 American Recovery and
Reinvestment Act (Hebda & Czar, 2013).
HITECH consists of four parts:
Subtitle A: Promotion of Health Information Technology
Subtitle B: Testing of Health Information Technology
Subtitle C: Grants and Loans Funding
Subtitle D: Privacy (111th
Congress, 2009).
Meaningful use: a set of standards used to identify improved patient
care (Centers for Medicare & Medicaid, 2013, April 17).
5. Risk Assessment
With an increased reliance on electronic health records comes
increased risks in the forms of violation to patient’s privacy, reduced
quality of care, and increased costs to medical facilities due to the loss
of patient information (Office of Civil Rights, 2010).
Vulnerability: a weakness in a system which provides an
opportunity for a threat to cause damage. Vulnerability may be part
of the hardware or software of the electronic health record, or it may
be found in weak or non-existent policies and procedures (Office of
Civil Rights, 2010).
Threat: a natural, environmental, or human (intentional or unintentional)
warning or declaration to commit harm or injury (Hebda & Czar, 2013).
Risk: a function of the vulnerability of an organization to anything
that threatens the continuation of their operations (Hebda & Czar,
2013).
6. CASE STUDY
At the next staff meeting you have to present a review of the Privacy Rule
of HIPAA along with specific examples of the privacy rule in action.
Explain what is considered patient health information under this rule.
Describe 3 situations where disclosure is or is not permitted when the
patient is present and is able to make decisions.
Describe 3 situations where disclosure is or is not permitted when the
patient is NOT present or is NOT able to make decisions.
Handout:www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provid
er_ffg.pdf
*Answer key provided at the end of presentation.
**Click on mouse to advance to next slide
7. Avoiding Breaches in Security
To avoid breaches in security it is important to have
safeguards in place:
Authentication: a unique ID that directly links healthcare
professionals to information they are allowed to view that is used in
conjunction with a password, which is a unique combination of
numbers and letters created by the user (Hebda & Czar, 2013).
Public Key Infrastructure (PKI): a unique code given to employees
by organizations that acts as an identifier of an authorized user
(Hebda & Czar, 2013).
Biometrics: use biological characteristics such as a fingerprints,
retina, facial structure, hand shape, ear pattern, voice patterns, to
identify a person (Hebda & Czar, 2013).
8. Keys to Creating a Strong Password
Passwords should be long, a combination of 12-14 characters, using
both upper and lowercase letters and random numbers.
Use a variety of different passwords to access different databases
Never allow a system’s to save or remember your password
Do not use birthdates, anniversary dates, social security numbers,
phone numbers, etc. as passwords as they are easier to guess
Do not use a repeated number as you password, ie. 222222
Keep passwords private. Do not tell anyone your password and do not
write it down.
Change password every couple of months and do not repeat a
password that has been used previously.
9. Safeguards Principle
With advancements in technology, the challenge to maintain the
integrity of electronic protected health information (EPHI) is increased.
The safeguards principle was established to protect confidentiality and
prevent unauthorized use or disclosure of this information (Hebda &
Czar, 2013).
Administrative Safeguards: implement policies and procedures to
prevent and expose violations of security.
Physical Safeguards: use physical measures to protect integrity of
confidential information.
Technical Safeguards: protect electronic health information and
control access to it.
10. Administrative Safeguards
Risk analysis: assess potential risks that would compromise
confidentiality of EPHI (Hebda & Czar, 2013).
Risk Management: analysis of risk assessment and the
implementation of security measures to ensure integrity of data
is maintained (Hebda & Czar, 2013).
Sanction Policy: have consequences should users fail to
comply with security measures in place (Hebda & Czar, 2013).
Information System Activity Review: regularly review usage to
track security incidents (Hebda & Czar, 2013).
11. Physical Safeguards
Access controls: limit access to information to authorized users
(Hebda & Czar, 2013).
Workstation use: use of computer, laptops, PDAs or other
devices that transmit confidential data in a way that ensures
integrity of the system (Hebda & Czar, 2013).
Workstation security: require users to log on to system each
time the wish to access database and log off before leaving
workstation (Hebda & Czar, 2013).
Device and Media controls: require the removal and disposal of
information stored on a device that will no longer be used in the
facility (Hebda & Czar, 2013).
12. Technical Safeguards
Access controls: limit access to information to authorized users
(Hebda & Czar, 2013).
Audit controls: have software in place that monitors use of
systems that contain electronic protected health information
(Hebda & Czar, 2013).
Integrity controls: ensure that electronic protected health
information (EPHI) is not being improperly used (Hebda & Czar,
2013).
Transmission security: prevent unauthorized users from
gaining access to EPHI (Hebda & Czar, 2013).
13. Email and HIPPA
Careful consideration needs to be made when communicating through email in the
healthcare world. In order to maintain confidentiality when using email, all emails
containing or referencing private health information should be encrypted.
Encryption: the use of a mathematic formula to encode and protect
messages (Hebda & Czar, 2013).
Packet filter: technique that inspects information coming into network and
accepts or rejects it based on its findings (Hebda & Czar, 2013).
Application gateway: allows two systems to communicate by creating a
connection between the two and protecting information on other computers in
the network (Hebda & Czar, 2013).
Circuit-level gateway: allows communication from outside network once a
request has been made and approved by firewall, otherwise it is dropped, or the
request has been denied (Hebda & Czar, 2013).
Proxy server: helps to keep network addresses unknown (Hebda & Czar,
2013).
14. CASE STUDY #2
June is a nurse on a telemetry unit in a busy city hospital. One of her patients has been in the hospital since Friday evening.
It is now Sunday night and your patient, Jane Doe, is worried about not making it to work on Monday. She asks you to send
an email to her employer letting them know that she has been in the hospital and will likely be out of work for a few days
considering she is to have a cardiac catheterization Monday morning and even if everything looks good she will need to stay
to be monitored overnight. Since June likes to help as much as she can, she agrees to send the email. See email below.
To: Janesjob@joco.net
From: Junebug@aol.com
Subject: Jane Doe in hospital
To whom it may concern,
I am writing to inform you that your employee, Jane Doe has been in University Hospital since Friday. She came in with chest
pain, had a positive stress test and is scheduled to have a cardiac catheterization tomorrow, Monday. She asked me to email
you to let you know that she will not be at work on Monday and will most likely be out of work on Tuesday as well. Thank
you for understanding.
Sincerely, June Bug, RN
Does this email comply with HIPAA law standards? ?
NO!
What’s wrong with this email?
This email, containing private medical information about a patient was sent using personal email, not on hospital’s secure
network email system.
The patient’s name is included in the subject line. That is no allowed.
Be careful when sending email containing patient information. A smart alternative would have been to set patient up on her
own email to send message. Most hospitals offer internet access in all patient rooms. There is no reason the patient could
not have sent to email out herself.
15. Explain what is considered patient health information under this rule.
PHI includes any information that could identify an individual, such as name, age, social security
number, health conditions, prescriptions, lab results, and claims information (Hebda & Czar, 2013).
Describe 3 situations where disclosure is or is not permitted when the patient is present and is able to
make decisions.
Patient needs an interpreter. Medical information may be shared with the interpreter who works for
the healthcare provider or has a signed business associate agreement with the healthcare provider,
or if the interpreter is a family member of the patient and the patient agrees.
Patient verbally agrees to let the healthcare provider discuss the current medical condition with a
family member. Written consent is not a requirement of HIPAA, but may be a requirement of the
healthcare facility.
Patient is discussing his health condition with the physician when the patient’s sister and friend enter
the room. The healthcare provider should ask the patient for permission to continue with the sister
and friend present. Without verbal consent the provider should not continue to discuss the patient’s
medical condition (U.S. Department of Health, A healthcare provider’s guide, n.d.)
Describe 3 situations where disclosure is or is not permitted when the patient is NOT present or is NOT
able to make decisions.
Provider may discuss relevant information to a family member or friend if the provider determines it is
in the best interest of the patient.
Provider discusses the patient’s care with her Physician’s Assistant in a public elevator while
returning to her office and 5 other people are present who are not involved in the patient’s care or
family members or friends of the patient. This is not permitted.
Provider allows a friend of the patient to pick up the patient’s x-rays. The provider may use
professional judgment in allowing someone other than the patient to pick up prescriptions, x-rays,
medical equipment or other similar types of medical information of the patient (U.S. Department of
Health, A healthcare provider’s guide, n.d.)
CASE STUDY #1 ANSWER KEY
16. References
104th Congress of the United States. (1996). Health insurance portability and accountability act of 1996. Retrieved from www.cms.gov/Regulations-and-
Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/HIPAALaw.pdf
111th Congress of the United States. (2009). American Recovery and Reinvestment Act of 2009 (pp.112-165). Retrieved from www.gpo.gov/fdsys/pkg/
BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf
Centers for Medicare & Medicaid. (2013, April 17). Meaningful use. Retrieved from www.cms.gov/Regulations-and-Guidance/Legislation/
EHRIncentivePrograms/Meaningful_Use.html
Centers for Medicare & Medicaid. (2013, April 4). Medicare and Medicaid EHR incentive programs. Retrieved from www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Basics.html
Centers for Medicare & Medicaid. (2013, April 17). Transaction and code set standards. Retrieved from www.cms.gov/Regulations-and-Guidance/HIPPPA-
Simplification/TransactionCodeSetsStands/index.html?redirect=/TransactionCodeSetsStands/02_TransactionsandCodeSetsRegulations.asp
Hebda, T., & Czar, P. (2013). Handbook of informatics for nurses and healthcare professionals (5th ed.). Upper Saddle River, NJ: Pearson
NCBI Bookshelf. (2009). The Value and Importance of Health information Privacy-Beyond the HIPAA Privacy Rule. Retrieved from http://www.ncbi.nlm.nih.gov/books/
NBK9579/?report=printable. Washington, D.C.; National Academy of Sciences.
Office of Civil Rights. (2010, July 14). Guidance on risk analysis requirements under the HIPAA security rule. Retrieved from www.hhs.gov/ocr/privacy/
hipaa/administrative/securityrule/rafinalguidancepdf.pdf
Ouellette, P. (2012, November). A look at HIPAA administrative safeguard requirements. Health IT Security. Retrieved from healthitsecurity.com/2012/11/26/a-look-at-
hipaa-administrative-safeguard-requirements/
U.S. Department of Health & Human Services. (n.d.). Health information privacy. Retrieved from www.hhs.gov/ocr/privacy/index.html
U.S. Department of Health & Human Services, Office of Civil Rights. (n.d.). A healthcare provider’s guide to the HIPAA privacy rule: communicating with a patient’s
family, friends, or others involved in the patient’s care. Retrieved from www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf
U.S. Department of Health & Human Services. (n.d.). HIPAA administrative simplification statute and rules. Retrieved from www.hhs.gov/ocr/privacy/hippa/
administrative
U.S. Department of Health & Human Services. (n.d.). Other Administrative simplification rules. Retrieved from www.hhs.gov/ocr/privacy/hipaa/administrative/other/
index.html
U.S. Department of Health & Human Services. (n.d.). Summary of the HIPAA privacy rule. Retrieved from www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
index.html