2. CONTENT
∆ Introduction to HIPAA
∆ Purpose of HIPAA
∆ HIPAA Compliance
∆ Privacy Rules
∆ Security Rules
∆ Breach Notification Rules
∆ Checklist of HIPAA Compliance
∆ Protected Health Information (PHI)
∆ Covered Entities (CE)
∆ Business Association
∆ Permitted Uses and Disclosures
∆ HMIS User Rights
∆ HIPAA vs HIPPA
∆ Forms References
HIPAA
3. INTRODUCTION TO HIPAA
Health Insurance Portability and Accountability Act of 1996
∆ HIPAA is a federal law that required the
creation of national standards to protect
sensitive patient health information from
being disclosed without the patient’s consent
or knowledge.
∆ Portability
1. Created to ensure access to health coverage.
2. Allows for continuity in health coverage.
∆ Accountability
1. Health care fraud is federal crime.
2. Fines or Jail may apply.
3. Individuals and organizations face sanctions.
4. PURPOSE OF HIPAA
Privacy of
Health
Information
Security of
Electronic
Records
Administrative
Simplification
Insurance
Portability
5. HIPAA COMPLIANCE
The Health Insurance Portability and Accountability Act of 1996 is a
United States federal statute enacted by the 104th United States
Congress and signed into law by President Bill Clinton on August 21, 1996.
HIPAA compliance is the process that business associates and covered
entities follow to protect and secure Protected Health Information (PHI)
as prescribed by the Health Insurance Portability and Accountability Act.
That's legalese for “keep people's healthcare data private.”
∆ THREE MAIN RULES OF HIPAA COMPLINACE
1. Privacy Rules
2. Security Rules
3. Breach Notification Rules
6. PRIVACY RULES
Privacy Rule went into effect April 14, 2003.
The Privacy Rule is designed to Protect individual’s
Health Information (PHI) and allows individuals to:
1. Get a copy of their medical records.
2. Ask for changes to their medical records.
3. Find out and limit how their PHI may be
used.
4. Know who has received their PHI.
5. Have communications sent to an alternate
location or by an alternate means.
6. File complaint and participate in
investigations.
7. SECURITY RULES
Security (IT) regulation
went into effect April 21,
2005.
Security means
controlling:
• Confidentiality of
electronic Protected
Health Information
(ePHI).
• Storage of electronic
Protect Health
Information (ePHI).
• Access into electronic
information.
8. BREACH NOTIFICATION RULES
A breach is defined in HIPAA section 164.402, as highlighted in the HIPAA Survival Guide, as:
“The acquisition, access, use, or disclosure of protected health information in a
manner not permitted which compromises the security or privacy of the
protected health information.”
10. PROTECTEDHEALTHINFORMATION(PHI)
The HIPAA Privacy Rule
provides federal protections for
personal health information
held by covered entities and
gives patients an array of rights
with respect to that
information.
At the same time, the Privacy
Rule is balanced so that it
permits the disclosure of
personal health information
needed for patient care and
other important purposes.
11. PROTECTEDHEALTHINFORMATION(PHI)
Types of Data protected by HIPAA:
∆ Written documentation and all paper records
∆ Spoken and verbal information including voice mail messages
∆ Electronic databases and any electronic information, including research
information, containing PHI stored on a computer, smart phone,
memory card, USB drive, or other electronic device
∆ Photographic images
∆ Audio andVideo recordings
12. PROTECTEDHEALTHINFORMATION(PHI)
What does PHI includes?
Information in the health record, such
as:
∆ Encounter/visits documentation
∆ Lab Results
∆ Appointment Date/Time
∆ Invoices
∆ Radiology Films and Reports
∆ History and Physicals (H&Ps)
∆ Patient Identifiers
14. COVERED ENTITY (CE)
HIPAA, or the Health Insurance Portability and Accountability Act of 1996,
covers both individuals and organizations. Those who must comply with
HIPAA are often called HIPAA-covered entities. HIPAA-covered entities
include health plans, clearinghouses, and certain health care providers.
15. COVERED ENTITY (CE)
HEALTH CARE PROVIDERS
Consult with patients, discuss their health care
needs, and offer advice. Diagnose illnesses and
offer prognoses as required. Provide a medical
service or perform a procedure depending on
the patient's needs. Prescribe medication
and/or provide the best course of action.
_________________________________________
Every healthcare provider, regardless of size of
practice, who electronically transmits health
information in connection with certain
transactions. These transactions include claims,
benefit eligibility inquiries, referral authorization
requests, and other transactions for which HHS
has established standards under the HIPAA
Transactions Rule.
16. COVERED ENTITY (CE)
HEALTH PLANS
Health Plans in general are forms of
insurance to cover costs of medical care.
The HIPAA Rules define “Health Plan”
broadly because the United States has
many different types of health insurance.
____________________________________
The three types of health plan covered
entities are described below.
∆ Health Insurance Issuer.
∆ Health Maintenance Organization (HMO).
∆ Group Health Plan.
17. COVERED ENTITY (CE)
HEALTH CARE CLEARING HOUSES
Clearinghouses are essentially electronic stations
or hubs that allow healthcare practices to
transmit electronic claims to insurance carriers in
a secure way that protects patient health
information, or protected health information.
______________________________________
Entities that process nonstandard information they
receive from another entity into a standard(i.e.
standard format or data content), or vice versa.
For Example, if a patient fills out forms as Jenny,
but their full legal name is Jennifer, the
clearinghouses make sure those records get
combined and not added as a new patient. They
will also check for duplicate or incorrect codes that
tell the system what to bill for.
18. BUSINESS ASSOCIATION (BA)
A person or organization (other than a
member of a covered entity’s workforce)
using or disclosing individually
identifiable health information to
perform or provide functions, activities,
or services for a covered entity.
Examples of Business Associates are
lawyers, accountants, IT contractors,
billing companies, cloud storage
services, email encryption services,
web hosts, etc.
(This list could go on for a while.) You are
required to have a Business Associate
Agreement with these people.
19. PERMITTED USES AND DISCLOSURES
The Privacy Rule permits use and disclosure of protected health
information, without an individual’s authorization or permission:
∆ When required by law
∆ Public health activities
∆ Victims of abuse or neglect or domestic violence
∆ Health oversight activities
∆ Judicial and administrative proceedings
∆ Law enforcement
∆ Functions (such as identification) concerning deceased persons
∆ Cadaveric organ, eye, or tissue donation
∆ Research, under certain conditions
∆ To prevent or lessen a serious threat to health or safety
∆ Essential government functions
∆ Workers compensation
20. HMIS USER RIGHTS
JOBTITLE DEPARTMENT USER RIGHTS
Patient Services Call Centre, Referrals
Appointment Scheduling
Override Schedule - with RN approval
View / Modify Patient Information
Daily Appointment Reports
Front Desk/ Medical Assistance Managers/
Directors
Clinic, BH Department
Appointment Scheduling
View / Modify Patient Information
Daily Appointment Reports
Transaction Entry
Medical Records Clerk Medical Records
View Patient Information
View Schedule
Medication Refill Medical Records
Appointment Scheduling
View Patient Information
Nurse Managers Clinic
View Schedule
Appointment Scheduling
Override Schedule - with RN approval
View / Modify Patient Information
Daily Appointment Reports
21. HMIS USER RIGHTS
JOBTITLE DEPARTMENT USER RIGHTS
IT – Department
Application Analyst
Project Support
Clinical Applications Manager
HIT Coordinator
IT Department
ScheduleTemplate – Add/ Modify
Full SystemAdministrative Rights
Full File Maintenance Rights
All Operational Functions in EPM
Senior staff Admin Finance
View/ Modify Patient Information
Full Report Access
Appointment Scheduling
Cash Management/Transaction Entry and Modify
Billing Clerk
Billing Manager
Billing Department
Charge Entry
Claim Entry
Process Claim
Financial Reports
Payer Information / Edit / Modify
Behavioural Health Counsellors
Interns
Behaviour Health
Appointment Scheduling
View / Modify Patient Information
Daily Appointment Reports
22. HIPAA vs HIPPA
HIPAA
(Health Insurance Portability and
Accountability Act)
HIPPA
(Health Information Privacy
Protection Act)
Protects health coverage for people who change
jobs.
Requires medical providers to give patients
access to their PHI.
Requires medical providers to protect the privacy
of health information.
Prohibits stores and restaurants from asking
from proof vaccination.
Prohibits stores and restaurants from requiring
you to wear a mask.
Prohibits anyone from asking you for any health
information for any reason
History
Passed by congress and signed into law by
President Bill Clinton in 1996.
Invented by people on the internet during the
COVID-19 pandemic.
Is it a real law?