SlideShare a Scribd company logo

Group presentation hippa ppt

Download as PPT, PDF
M
Mari Mina

The document discusses the Health Insurance Portability and Accountability Act (HIPAA) and its requirements around privacy and security of patient health information. HIPAA established rules around privacy, security, transactions, and enforcement to protect patient information. It defines protected health information, privacy standards, and security standards. Breaches can occur through vulnerabilities in hardware/software or policies. Risk assessment is important to identify threats and risks. Administrative, physical and technical safeguards help ensure privacy and security of electronic health information as required by HIPAA.

1 of 16
Health Insurance Portability and Accountability Act HIPPA
Introduction  The Health Insurance Portability and Accountability Act (HIPPA) of 1996 addressed concerns of consumers regarding, 1) availability of insurance coverage when switching jobs and 2) privacy of health information with the increased usage of electronic health communications and transactions (104th Congress, 1996).  As mandated in the HIPAA, the US Department of Health and Human Services developed rules regarding health transactions. These rules include privacy, security, transaction and code sets, national provider identifiers, and enforcement (HIPAA administrative, n.d.). Privacy Security Confidentialit y COMPLIANCE
Definitions  Confidentiality: the sharing of private information within an established relationship that includes the ethical principle that information will not be disclosed unless consent is given (Hebda & Czar, 2013).  Privacy Rule: developed to protect an individual’s right to know who has access to or may use or disclose their personal health information (PHI) (Hebda & Czar, 2013).  Security Rule: addresses electronic PHI and lays out administrative, physical, and technical safeguards to protect electronic information. (U.S Department of Health, Health information, n.d.).  Transaction and Code Set Rule: addresses the standardization of electronic health care transactions used by covered entities (U.S. Department of Health, Other administrative, n.d.).  Electronic Data Interchange (EDI) codes  International Classification of Disease (ICD) codes
Health Information Technology for Economic and Clinical Health Act  The Health Information Technology for Economic and Clinical Health Act (HITECH) is a part of the 2009 American Recovery and Reinvestment Act (Hebda & Czar, 2013).  HITECH consists of four parts:  Subtitle A: Promotion of Health Information Technology  Subtitle B: Testing of Health Information Technology  Subtitle C: Grants and Loans Funding  Subtitle D: Privacy (111th Congress, 2009). Meaningful use: a set of standards used to identify improved patient care (Centers for Medicare & Medicaid, 2013, April 17).
Risk Assessment  With an increased reliance on electronic health records comes increased risks in the forms of violation to patient’s privacy, reduced quality of care, and increased costs to medical facilities due to the loss of patient information (Office of Civil Rights, 2010).  Vulnerability: a weakness in a system which provides an opportunity for a threat to cause damage. Vulnerability may be part of the hardware or software of the electronic health record, or it may be found in weak or non-existent policies and procedures (Office of Civil Rights, 2010).  Threat: a natural, environmental, or human (intentional or unintentional) warning or declaration to commit harm or injury (Hebda & Czar, 2013).  Risk: a function of the vulnerability of an organization to anything that threatens the continuation of their operations (Hebda & Czar, 2013).
CASE STUDY  At the next staff meeting you have to present a review of the Privacy Rule of HIPAA along with specific examples of the privacy rule in action.  Explain what is considered patient health information under this rule.  Describe 3 situations where disclosure is or is not permitted when the patient is present and is able to make decisions.  Describe 3 situations where disclosure is or is not permitted when the patient is NOT present or is NOT able to make decisions. Handout:www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provid er_ffg.pdf *Answer key provided at the end of presentation. **Click on mouse to advance to next slide
Avoiding Breaches in Security To avoid breaches in security it is important to have safeguards in place:  Authentication: a unique ID that directly links healthcare professionals to information they are allowed to view that is used in conjunction with a password, which is a unique combination of numbers and letters created by the user (Hebda & Czar, 2013).  Public Key Infrastructure (PKI): a unique code given to employees by organizations that acts as an identifier of an authorized user (Hebda & Czar, 2013).  Biometrics: use biological characteristics such as a fingerprints, retina, facial structure, hand shape, ear pattern, voice patterns, to identify a person (Hebda & Czar, 2013).
Keys to Creating a Strong Password  Passwords should be long, a combination of 12-14 characters, using both upper and lowercase letters and random numbers.  Use a variety of different passwords to access different databases  Never allow a system’s to save or remember your password  Do not use birthdates, anniversary dates, social security numbers, phone numbers, etc. as passwords as they are easier to guess  Do not use a repeated number as you password, ie. 222222  Keep passwords private. Do not tell anyone your password and do not write it down.  Change password every couple of months and do not repeat a password that has been used previously.
Safeguards Principle  With advancements in technology, the challenge to maintain the integrity of electronic protected health information (EPHI) is increased. The safeguards principle was established to protect confidentiality and prevent unauthorized use or disclosure of this information (Hebda & Czar, 2013).  Administrative Safeguards: implement policies and procedures to prevent and expose violations of security.  Physical Safeguards: use physical measures to protect integrity of confidential information.  Technical Safeguards: protect electronic health information and control access to it.
Administrative Safeguards Risk analysis: assess potential risks that would compromise confidentiality of EPHI (Hebda & Czar, 2013). Risk Management: analysis of risk assessment and the implementation of security measures to ensure integrity of data is maintained (Hebda & Czar, 2013). Sanction Policy: have consequences should users fail to comply with security measures in place (Hebda & Czar, 2013). Information System Activity Review: regularly review usage to track security incidents (Hebda & Czar, 2013).
Physical Safeguards Access controls: limit access to information to authorized users (Hebda & Czar, 2013). Workstation use: use of computer, laptops, PDAs or other devices that transmit confidential data in a way that ensures integrity of the system (Hebda & Czar, 2013). Workstation security: require users to log on to system each time the wish to access database and log off before leaving workstation (Hebda & Czar, 2013). Device and Media controls: require the removal and disposal of information stored on a device that will no longer be used in the facility (Hebda & Czar, 2013).
Technical Safeguards Access controls: limit access to information to authorized users (Hebda & Czar, 2013). Audit controls: have software in place that monitors use of systems that contain electronic protected health information (Hebda & Czar, 2013). Integrity controls: ensure that electronic protected health information (EPHI) is not being improperly used (Hebda & Czar, 2013). Transmission security: prevent unauthorized users from gaining access to EPHI (Hebda & Czar, 2013).
Email and HIPPA  Careful consideration needs to be made when communicating through email in the healthcare world. In order to maintain confidentiality when using email, all emails containing or referencing private health information should be encrypted.  Encryption: the use of a mathematic formula to encode and protect messages (Hebda & Czar, 2013).  Packet filter: technique that inspects information coming into network and accepts or rejects it based on its findings (Hebda & Czar, 2013).  Application gateway: allows two systems to communicate by creating a connection between the two and protecting information on other computers in the network (Hebda & Czar, 2013).  Circuit-level gateway: allows communication from outside network once a request has been made and approved by firewall, otherwise it is dropped, or the request has been denied (Hebda & Czar, 2013).  Proxy server: helps to keep network addresses unknown (Hebda & Czar, 2013).
CASE STUDY #2  June is a nurse on a telemetry unit in a busy city hospital. One of her patients has been in the hospital since Friday evening. It is now Sunday night and your patient, Jane Doe, is worried about not making it to work on Monday. She asks you to send an email to her employer letting them know that she has been in the hospital and will likely be out of work for a few days considering she is to have a cardiac catheterization Monday morning and even if everything looks good she will need to stay to be monitored overnight. Since June likes to help as much as she can, she agrees to send the email. See email below. To: Janesjob@joco.net From: Junebug@aol.com Subject: Jane Doe in hospital To whom it may concern, I am writing to inform you that your employee, Jane Doe has been in University Hospital since Friday. She came in with chest pain, had a positive stress test and is scheduled to have a cardiac catheterization tomorrow, Monday. She asked me to email you to let you know that she will not be at work on Monday and will most likely be out of work on Tuesday as well. Thank you for understanding. Sincerely, June Bug, RN  Does this email comply with HIPAA law standards? ?  NO!  What’s wrong with this email?  This email, containing private medical information about a patient was sent using personal email, not on hospital’s secure network email system.  The patient’s name is included in the subject line. That is no allowed.  Be careful when sending email containing patient information. A smart alternative would have been to set patient up on her own email to send message. Most hospitals offer internet access in all patient rooms. There is no reason the patient could not have sent to email out herself.
 Explain what is considered patient health information under this rule.  PHI includes any information that could identify an individual, such as name, age, social security number, health conditions, prescriptions, lab results, and claims information (Hebda & Czar, 2013).  Describe 3 situations where disclosure is or is not permitted when the patient is present and is able to make decisions.  Patient needs an interpreter. Medical information may be shared with the interpreter who works for the healthcare provider or has a signed business associate agreement with the healthcare provider, or if the interpreter is a family member of the patient and the patient agrees.  Patient verbally agrees to let the healthcare provider discuss the current medical condition with a family member. Written consent is not a requirement of HIPAA, but may be a requirement of the healthcare facility.  Patient is discussing his health condition with the physician when the patient’s sister and friend enter the room. The healthcare provider should ask the patient for permission to continue with the sister and friend present. Without verbal consent the provider should not continue to discuss the patient’s medical condition (U.S. Department of Health, A healthcare provider’s guide, n.d.)  Describe 3 situations where disclosure is or is not permitted when the patient is NOT present or is NOT able to make decisions.  Provider may discuss relevant information to a family member or friend if the provider determines it is in the best interest of the patient.  Provider discusses the patient’s care with her Physician’s Assistant in a public elevator while returning to her office and 5 other people are present who are not involved in the patient’s care or family members or friends of the patient. This is not permitted.  Provider allows a friend of the patient to pick up the patient’s x-rays. The provider may use professional judgment in allowing someone other than the patient to pick up prescriptions, x-rays, medical equipment or other similar types of medical information of the patient (U.S. Department of Health, A healthcare provider’s guide, n.d.) CASE STUDY #1 ANSWER KEY
References 104th Congress of the United States. (1996). Health insurance portability and accountability act of 1996. Retrieved from www.cms.gov/Regulations-and- Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/HIPAALaw.pdf 111th Congress of the United States. (2009). American Recovery and Reinvestment Act of 2009 (pp.112-165). Retrieved from www.gpo.gov/fdsys/pkg/ BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf Centers for Medicare & Medicaid. (2013, April 17). Meaningful use. Retrieved from www.cms.gov/Regulations-and-Guidance/Legislation/ EHRIncentivePrograms/Meaningful_Use.html Centers for Medicare & Medicaid. (2013, April 4). Medicare and Medicaid EHR incentive programs. Retrieved from www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Basics.html Centers for Medicare & Medicaid. (2013, April 17). Transaction and code set standards. Retrieved from www.cms.gov/Regulations-and-Guidance/HIPPPA- Simplification/TransactionCodeSetsStands/index.html?redirect=/TransactionCodeSetsStands/02_TransactionsandCodeSetsRegulations.asp Hebda, T., & Czar, P. (2013). Handbook of informatics for nurses and healthcare professionals (5th ed.). Upper Saddle River, NJ: Pearson NCBI Bookshelf. (2009). The Value and Importance of Health information Privacy-Beyond the HIPAA Privacy Rule. Retrieved from http://www.ncbi.nlm.nih.gov/books/ NBK9579/?report=printable. Washington, D.C.; National Academy of Sciences. Office of Civil Rights. (2010, July 14). Guidance on risk analysis requirements under the HIPAA security rule. Retrieved from www.hhs.gov/ocr/privacy/ hipaa/administrative/securityrule/rafinalguidancepdf.pdf Ouellette, P. (2012, November). A look at HIPAA administrative safeguard requirements. Health IT Security. Retrieved from healthitsecurity.com/2012/11/26/a-look-at- hipaa-administrative-safeguard-requirements/ U.S. Department of Health & Human Services. (n.d.). Health information privacy. Retrieved from www.hhs.gov/ocr/privacy/index.html U.S. Department of Health & Human Services, Office of Civil Rights. (n.d.). A healthcare provider’s guide to the HIPAA privacy rule: communicating with a patient’s family, friends, or others involved in the patient’s care. Retrieved from www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf U.S. Department of Health & Human Services. (n.d.). HIPAA administrative simplification statute and rules. Retrieved from www.hhs.gov/ocr/privacy/hippa/ administrative U.S. Department of Health & Human Services. (n.d.). Other Administrative simplification rules. Retrieved from www.hhs.gov/ocr/privacy/hipaa/administrative/other/ index.html U.S. Department of Health & Human Services. (n.d.). Summary of the HIPAA privacy rule. Retrieved from www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ index.html

Recommended

HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security PresentationRebecca Norman
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2martykoepke
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Confidentiality presentation(1)
Confidentiality presentation(1)Confidentiality presentation(1)
Confidentiality presentation(1)Kimberlin1
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for StartupsObaa, Inc.
 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)29535814851
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 

Recommended

HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security PresentationRebecca Norman
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2martykoepke
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Confidentiality presentation(1)
Confidentiality presentation(1)Confidentiality presentation(1)
Confidentiality presentation(1)Kimberlin1
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for StartupsObaa, Inc.
 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)29535814851
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
What is hipaa
What is hipaaWhat is hipaa
What is hipaadigitalpractice
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
Security & Privacy - Lecture E
Security & Privacy - Lecture ESecurity & Privacy - Lecture E
Security & Privacy - Lecture ECMDLearning
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
HITECH Act
HITECH ActHITECH Act
HITECH Actmeditrack
 
Hippa laws
Hippa lawsHippa laws
Hippa lawsBecky Bauer
 
HIPAA
HIPAAHIPAA
HIPAAbelziebub
 
Hippa slide show
Hippa slide showHippa slide show
Hippa slide showheathercool
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAAManas Deep
 
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...Quinnipiac University
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
Data security training
Data security trainingData security training
Data security trainingcarmelaangelica
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA ComplainceFarhatParveen10
 
HIPAA TITLE II (2)
HIPAA TITLE II (2)HIPAA TITLE II (2)
HIPAA TITLE II (2)Quinnipiac University
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare softwareConcetto Labs
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 
Ethical & Legal Issues for Health IT in Thailand's Context
Ethical & Legal Issues for Health IT in Thailand's ContextEthical & Legal Issues for Health IT in Thailand's Context
Ethical & Legal Issues for Health IT in Thailand's ContextNawanan Theera-Ampornpunt
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 

More Related Content

What's hot

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
Security & Privacy - Lecture E
Security & Privacy - Lecture ESecurity & Privacy - Lecture E
Security & Privacy - Lecture ECMDLearning
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
Hippa slide show
Hippa slide showHippa slide show
Hippa slide showheathercool
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAAManas Deep
 
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...Quinnipiac University
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare softwareConcetto Labs
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 

What's hot (20)

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliance
 
What is hipaa
What is hipaaWhat is hipaa
What is hipaa
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
Security & Privacy - Lecture E
Security & Privacy - Lecture ESecurity & Privacy - Lecture E
Security & Privacy - Lecture E
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
HITECH Act
HITECH ActHITECH Act
HITECH Act
 
Hippa laws
Hippa lawsHippa laws
Hippa laws
 
HIPAA
HIPAAHIPAA
HIPAA
 
Hippa slide show
Hippa slide showHippa slide show
Hippa slide show
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
 
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
Data security training
Data security trainingData security training
Data security training
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
HIPAA TITLE II (2)
HIPAA TITLE II (2)HIPAA TITLE II (2)
HIPAA TITLE II (2)
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?
 

Similar to Group presentation hippa ppt

Ethical & Legal Issues for Health IT in Thailand's Context
Ethical & Legal Issues for Health IT in Thailand's ContextEthical & Legal Issues for Health IT in Thailand's Context
Ethical & Legal Issues for Health IT in Thailand's ContextNawanan Theera-Ampornpunt
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 
1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docxteresehearn
 
Priv&security&profin electrcommunicationsrev9 23
Priv&security&profin electrcommunicationsrev9 23Priv&security&profin electrcommunicationsrev9 23
Priv&security&profin electrcommunicationsrev9 23Deven McGraw
 
Legal and ethical considerations in nursing informatics
Legal and ethical considerations in nursing informaticsLegal and ethical considerations in nursing informatics
Legal and ethical considerations in nursing informaticsAHMED ZINHOM
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Haydenhaydens
 
Health information system security
Health information system securityHealth information system security
Health information system securitykristinleighclark
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxwlynn1
 
Confidentiality Privacy and Security.ppt
Confidentiality Privacy and Security.pptConfidentiality Privacy and Security.ppt
Confidentiality Privacy and Security.pptJohnLagman3
 
Exploiting multimodal biometrics in e privacy scheme for electronic health re...
Exploiting multimodal biometrics in e privacy scheme for electronic health re...Exploiting multimodal biometrics in e privacy scheme for electronic health re...
Exploiting multimodal biometrics in e privacy scheme for electronic health re...Alexander Decker
 
Security and privacy preserving challenges of e-health solutions in cloud com...
Security and privacy preserving challenges of e-health solutions in cloud com...Security and privacy preserving challenges of e-health solutions in cloud com...
Security and privacy preserving challenges of e-health solutions in cloud com...Venkat Projects
 
Systems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docxSystems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docxperryk1
 
Hello Shreya,Detailed analysis of data breaches that occurred in
Hello Shreya,Detailed analysis of data breaches that occurred inHello Shreya,Detailed analysis of data breaches that occurred in
Hello Shreya,Detailed analysis of data breaches that occurred inSusanaFurman449
 
telemedicineppt.pptx
telemedicineppt.pptxtelemedicineppt.pptx
telemedicineppt.pptxRiyaMathur18
 
Legal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsLegal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsKimarie Brown
 
Secure E- Health Care Model
Secure E- Health Care ModelSecure E- Health Care Model
Secure E- Health Care ModelIOSR Journals
 
Updated.docx
Updated.docxUpdated.docx
Updated.docxwrite5
 
Security issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewSecurity issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewjournalBEEI
 

Similar to Group presentation hippa ppt (20)

Ethical & Legal Issues for Health IT in Thailand's Context
Ethical & Legal Issues for Health IT in Thailand's ContextEthical & Legal Issues for Health IT in Thailand's Context
Ethical & Legal Issues for Health IT in Thailand's Context
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptx
 
1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx
 
Priv&security&profin electrcommunicationsrev9 23
Priv&security&profin electrcommunicationsrev9 23Priv&security&profin electrcommunicationsrev9 23
Priv&security&profin electrcommunicationsrev9 23
 
Legal and ethical considerations in nursing informatics
Legal and ethical considerations in nursing informaticsLegal and ethical considerations in nursing informatics
Legal and ethical considerations in nursing informatics
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Hayden
 
Health information system security
Health information system securityHealth information system security
Health information system security
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
Confidentiality Privacy and Security.ppt
Confidentiality Privacy and Security.pptConfidentiality Privacy and Security.ppt
Confidentiality Privacy and Security.ppt
 
Exploiting multimodal biometrics in e privacy scheme for electronic health re...
Exploiting multimodal biometrics in e privacy scheme for electronic health re...Exploiting multimodal biometrics in e privacy scheme for electronic health re...
Exploiting multimodal biometrics in e privacy scheme for electronic health re...
 
Security and privacy preserving challenges of e-health solutions in cloud com...
Security and privacy preserving challenges of e-health solutions in cloud com...Security and privacy preserving challenges of e-health solutions in cloud com...
Security and privacy preserving challenges of e-health solutions in cloud com...
 
Ijcet 06 06_004
Ijcet 06 06_004Ijcet 06 06_004
Ijcet 06 06_004
 
Systems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docxSystems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docx
 
Hello Shreya,Detailed analysis of data breaches that occurred in
Hello Shreya,Detailed analysis of data breaches that occurred inHello Shreya,Detailed analysis of data breaches that occurred in
Hello Shreya,Detailed analysis of data breaches that occurred in
 
telemedicineppt.pptx
telemedicineppt.pptxtelemedicineppt.pptx
telemedicineppt.pptx
 
Legal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsLegal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing Informatics
 
HIPAA
HIPAAHIPAA
HIPAA
 
Secure E- Health Care Model
Secure E- Health Care ModelSecure E- Health Care Model
Secure E- Health Care Model
 
Updated.docx
Updated.docxUpdated.docx
Updated.docx
 
Security issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewSecurity issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A review
 

Group presentation hippa ppt

  • 1. Health Insurance Portability and Accountability Act HIPPA
  • 2. Introduction  The Health Insurance Portability and Accountability Act (HIPPA) of 1996 addressed concerns of consumers regarding, 1) availability of insurance coverage when switching jobs and 2) privacy of health information with the increased usage of electronic health communications and transactions (104th Congress, 1996).  As mandated in the HIPAA, the US Department of Health and Human Services developed rules regarding health transactions. These rules include privacy, security, transaction and code sets, national provider identifiers, and enforcement (HIPAA administrative, n.d.). Privacy Security Confidentialit y COMPLIANCE
  • 3. Definitions  Confidentiality: the sharing of private information within an established relationship that includes the ethical principle that information will not be disclosed unless consent is given (Hebda & Czar, 2013).  Privacy Rule: developed to protect an individual’s right to know who has access to or may use or disclose their personal health information (PHI) (Hebda & Czar, 2013).  Security Rule: addresses electronic PHI and lays out administrative, physical, and technical safeguards to protect electronic information. (U.S Department of Health, Health information, n.d.).  Transaction and Code Set Rule: addresses the standardization of electronic health care transactions used by covered entities (U.S. Department of Health, Other administrative, n.d.).  Electronic Data Interchange (EDI) codes  International Classification of Disease (ICD) codes
  • 4. Health Information Technology for Economic and Clinical Health Act  The Health Information Technology for Economic and Clinical Health Act (HITECH) is a part of the 2009 American Recovery and Reinvestment Act (Hebda & Czar, 2013).  HITECH consists of four parts:  Subtitle A: Promotion of Health Information Technology  Subtitle B: Testing of Health Information Technology  Subtitle C: Grants and Loans Funding  Subtitle D: Privacy (111th Congress, 2009). Meaningful use: a set of standards used to identify improved patient care (Centers for Medicare & Medicaid, 2013, April 17).
  • 5. Risk Assessment  With an increased reliance on electronic health records comes increased risks in the forms of violation to patient’s privacy, reduced quality of care, and increased costs to medical facilities due to the loss of patient information (Office of Civil Rights, 2010).  Vulnerability: a weakness in a system which provides an opportunity for a threat to cause damage. Vulnerability may be part of the hardware or software of the electronic health record, or it may be found in weak or non-existent policies and procedures (Office of Civil Rights, 2010).  Threat: a natural, environmental, or human (intentional or unintentional) warning or declaration to commit harm or injury (Hebda & Czar, 2013).  Risk: a function of the vulnerability of an organization to anything that threatens the continuation of their operations (Hebda & Czar, 2013).
  • 6. CASE STUDY  At the next staff meeting you have to present a review of the Privacy Rule of HIPAA along with specific examples of the privacy rule in action.  Explain what is considered patient health information under this rule.  Describe 3 situations where disclosure is or is not permitted when the patient is present and is able to make decisions.  Describe 3 situations where disclosure is or is not permitted when the patient is NOT present or is NOT able to make decisions. Handout:www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provid er_ffg.pdf *Answer key provided at the end of presentation. **Click on mouse to advance to next slide
  • 7. Avoiding Breaches in Security To avoid breaches in security it is important to have safeguards in place:  Authentication: a unique ID that directly links healthcare professionals to information they are allowed to view that is used in conjunction with a password, which is a unique combination of numbers and letters created by the user (Hebda & Czar, 2013).  Public Key Infrastructure (PKI): a unique code given to employees by organizations that acts as an identifier of an authorized user (Hebda & Czar, 2013).  Biometrics: use biological characteristics such as a fingerprints, retina, facial structure, hand shape, ear pattern, voice patterns, to identify a person (Hebda & Czar, 2013).
  • 8. Keys to Creating a Strong Password  Passwords should be long, a combination of 12-14 characters, using both upper and lowercase letters and random numbers.  Use a variety of different passwords to access different databases  Never allow a system’s to save or remember your password  Do not use birthdates, anniversary dates, social security numbers, phone numbers, etc. as passwords as they are easier to guess  Do not use a repeated number as you password, ie. 222222  Keep passwords private. Do not tell anyone your password and do not write it down.  Change password every couple of months and do not repeat a password that has been used previously.
  • 9. Safeguards Principle  With advancements in technology, the challenge to maintain the integrity of electronic protected health information (EPHI) is increased. The safeguards principle was established to protect confidentiality and prevent unauthorized use or disclosure of this information (Hebda & Czar, 2013).  Administrative Safeguards: implement policies and procedures to prevent and expose violations of security.  Physical Safeguards: use physical measures to protect integrity of confidential information.  Technical Safeguards: protect electronic health information and control access to it.
  • 10. Administrative Safeguards Risk analysis: assess potential risks that would compromise confidentiality of EPHI (Hebda & Czar, 2013). Risk Management: analysis of risk assessment and the implementation of security measures to ensure integrity of data is maintained (Hebda & Czar, 2013). Sanction Policy: have consequences should users fail to comply with security measures in place (Hebda & Czar, 2013). Information System Activity Review: regularly review usage to track security incidents (Hebda & Czar, 2013).
  • 11. Physical Safeguards Access controls: limit access to information to authorized users (Hebda & Czar, 2013). Workstation use: use of computer, laptops, PDAs or other devices that transmit confidential data in a way that ensures integrity of the system (Hebda & Czar, 2013). Workstation security: require users to log on to system each time the wish to access database and log off before leaving workstation (Hebda & Czar, 2013). Device and Media controls: require the removal and disposal of information stored on a device that will no longer be used in the facility (Hebda & Czar, 2013).
  • 12. Technical Safeguards Access controls: limit access to information to authorized users (Hebda & Czar, 2013). Audit controls: have software in place that monitors use of systems that contain electronic protected health information (Hebda & Czar, 2013). Integrity controls: ensure that electronic protected health information (EPHI) is not being improperly used (Hebda & Czar, 2013). Transmission security: prevent unauthorized users from gaining access to EPHI (Hebda & Czar, 2013).
  • 13. Email and HIPPA  Careful consideration needs to be made when communicating through email in the healthcare world. In order to maintain confidentiality when using email, all emails containing or referencing private health information should be encrypted.  Encryption: the use of a mathematic formula to encode and protect messages (Hebda & Czar, 2013).  Packet filter: technique that inspects information coming into network and accepts or rejects it based on its findings (Hebda & Czar, 2013).  Application gateway: allows two systems to communicate by creating a connection between the two and protecting information on other computers in the network (Hebda & Czar, 2013).  Circuit-level gateway: allows communication from outside network once a request has been made and approved by firewall, otherwise it is dropped, or the request has been denied (Hebda & Czar, 2013).  Proxy server: helps to keep network addresses unknown (Hebda & Czar, 2013).
  • 14. CASE STUDY #2  June is a nurse on a telemetry unit in a busy city hospital. One of her patients has been in the hospital since Friday evening. It is now Sunday night and your patient, Jane Doe, is worried about not making it to work on Monday. She asks you to send an email to her employer letting them know that she has been in the hospital and will likely be out of work for a few days considering she is to have a cardiac catheterization Monday morning and even if everything looks good she will need to stay to be monitored overnight. Since June likes to help as much as she can, she agrees to send the email. See email below. To: Janesjob@joco.net From: Junebug@aol.com Subject: Jane Doe in hospital To whom it may concern, I am writing to inform you that your employee, Jane Doe has been in University Hospital since Friday. She came in with chest pain, had a positive stress test and is scheduled to have a cardiac catheterization tomorrow, Monday. She asked me to email you to let you know that she will not be at work on Monday and will most likely be out of work on Tuesday as well. Thank you for understanding. Sincerely, June Bug, RN  Does this email comply with HIPAA law standards? ?  NO!  What’s wrong with this email?  This email, containing private medical information about a patient was sent using personal email, not on hospital’s secure network email system.  The patient’s name is included in the subject line. That is no allowed.  Be careful when sending email containing patient information. A smart alternative would have been to set patient up on her own email to send message. Most hospitals offer internet access in all patient rooms. There is no reason the patient could not have sent to email out herself.
  • 15.  Explain what is considered patient health information under this rule.  PHI includes any information that could identify an individual, such as name, age, social security number, health conditions, prescriptions, lab results, and claims information (Hebda & Czar, 2013).  Describe 3 situations where disclosure is or is not permitted when the patient is present and is able to make decisions.  Patient needs an interpreter. Medical information may be shared with the interpreter who works for the healthcare provider or has a signed business associate agreement with the healthcare provider, or if the interpreter is a family member of the patient and the patient agrees.  Patient verbally agrees to let the healthcare provider discuss the current medical condition with a family member. Written consent is not a requirement of HIPAA, but may be a requirement of the healthcare facility.  Patient is discussing his health condition with the physician when the patient’s sister and friend enter the room. The healthcare provider should ask the patient for permission to continue with the sister and friend present. Without verbal consent the provider should not continue to discuss the patient’s medical condition (U.S. Department of Health, A healthcare provider’s guide, n.d.)  Describe 3 situations where disclosure is or is not permitted when the patient is NOT present or is NOT able to make decisions.  Provider may discuss relevant information to a family member or friend if the provider determines it is in the best interest of the patient.  Provider discusses the patient’s care with her Physician’s Assistant in a public elevator while returning to her office and 5 other people are present who are not involved in the patient’s care or family members or friends of the patient. This is not permitted.  Provider allows a friend of the patient to pick up the patient’s x-rays. The provider may use professional judgment in allowing someone other than the patient to pick up prescriptions, x-rays, medical equipment or other similar types of medical information of the patient (U.S. Department of Health, A healthcare provider’s guide, n.d.) CASE STUDY #1 ANSWER KEY
  • 16. References 104th Congress of the United States. (1996). Health insurance portability and accountability act of 1996. Retrieved from www.cms.gov/Regulations-and- Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/HIPAALaw.pdf 111th Congress of the United States. (2009). American Recovery and Reinvestment Act of 2009 (pp.112-165). Retrieved from www.gpo.gov/fdsys/pkg/ BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf Centers for Medicare & Medicaid. (2013, April 17). Meaningful use. Retrieved from www.cms.gov/Regulations-and-Guidance/Legislation/ EHRIncentivePrograms/Meaningful_Use.html Centers for Medicare & Medicaid. (2013, April 4). Medicare and Medicaid EHR incentive programs. Retrieved from www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Basics.html Centers for Medicare & Medicaid. (2013, April 17). Transaction and code set standards. Retrieved from www.cms.gov/Regulations-and-Guidance/HIPPPA- Simplification/TransactionCodeSetsStands/index.html?redirect=/TransactionCodeSetsStands/02_TransactionsandCodeSetsRegulations.asp Hebda, T., & Czar, P. (2013). Handbook of informatics for nurses and healthcare professionals (5th ed.). Upper Saddle River, NJ: Pearson NCBI Bookshelf. (2009). The Value and Importance of Health information Privacy-Beyond the HIPAA Privacy Rule. Retrieved from http://www.ncbi.nlm.nih.gov/books/ NBK9579/?report=printable. Washington, D.C.; National Academy of Sciences. Office of Civil Rights. (2010, July 14). Guidance on risk analysis requirements under the HIPAA security rule. Retrieved from www.hhs.gov/ocr/privacy/ hipaa/administrative/securityrule/rafinalguidancepdf.pdf Ouellette, P. (2012, November). A look at HIPAA administrative safeguard requirements. Health IT Security. Retrieved from healthitsecurity.com/2012/11/26/a-look-at- hipaa-administrative-safeguard-requirements/ U.S. Department of Health & Human Services. (n.d.). Health information privacy. Retrieved from www.hhs.gov/ocr/privacy/index.html U.S. Department of Health & Human Services, Office of Civil Rights. (n.d.). A healthcare provider’s guide to the HIPAA privacy rule: communicating with a patient’s family, friends, or others involved in the patient’s care. Retrieved from www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf U.S. Department of Health & Human Services. (n.d.). HIPAA administrative simplification statute and rules. Retrieved from www.hhs.gov/ocr/privacy/hippa/ administrative U.S. Department of Health & Human Services. (n.d.). Other Administrative simplification rules. Retrieved from www.hhs.gov/ocr/privacy/hipaa/administrative/other/ index.html U.S. Department of Health & Human Services. (n.d.). Summary of the HIPAA privacy rule. Retrieved from www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ index.html