SlideShare a Scribd company logo

HIPAA for Dummies

H
hipaacompliance

The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions. https://www.hipaajournal.com/hipaa-training-requirements/

Business
1 of 51
Download to read offline
HIPAA FOR DUMMIES Everything you need to know
Health Insurance Portability and Accountability Act
1. Why was HIPAA Created?
The purpose ● Modernize the flow of healthcare information ● Stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft ● Address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions
1996: The Secretary of Health and Human Services (HSS) proposed standards that protect individual health information 1999: First set of proposed “Code Set” standards 2000: First proposals for the Privacy Rule Nowadays: The scope of the Act has been extended to cover Business Associates – third party service providers that perform a function on behalf of a HIPAA-Covered Entity that involves the use or disclosure of Protected Health Information (PHI). The Timeline
The HIPAA regulations policies U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) State Attorney Generals Have the authority impose financial penalties on Covered Entities and Business Associates for violations of HIPAA
2. What is the Purpose of HIPAA?
2004 HIPAA Combat fraud Combat abuse 1996 2007
We need to accommodate the advances in technology and changes to working practices
● HIPAA is technology-neutral ● HIPAA does not preempt state law, except in circumstances in which the state´s privacy and security regulations are weaker than those in HIPAA. OCR guidance has gone digital (Listserv application) Frequent guidance issued by OCR New HIPAA Rules Original language of HIPAA HIPAA in 2018
3. Understanding HIPAA for Dummies
Personal Identifiers ➔ 18 Personal Identifiers ➔ Could reveal the identity of a person, their medical history or payment records ➔ Most commonly known as “Protected Health Information” or “PHI” ➔ Known as “ePHI” when stored or communicated electronically
Names or part of names Any other unique identifying characteristic Geographical identifiers Dates directly related to a person Phone number details Fax number details Details of Email addresses Social Security details Medical record numbers Health insurance beneficiary numbers Account details Certificate or license numbers Vehicle license plate details Device identifiers and serial numbers Website URLs IP address details Fingerprints, retinal and voice prints Complete face or any comparable photographic images
Personal Identifiers Name or part of name Phone number details Geographical identifiers Details of Email addresses Dates directly related to a person Medical record numbers Certificate or license numbers Website URLs Fingerprints, retinal and voice prints IP address details Social Security details Vehicle license plate details Any other unique identifying characteristic Account details Health insurance beneficiary numbers Complete face or any comparable photographic images Device identifiers and serial numbers Fax number details
The main takeaway for HIPAA compliance is that any company or individual that comes into contact with PHI must enact and enforce appropriate policies, procedures and safeguards to protect data.
Violations of HIPAA often result from the following: ● Lack of adequate risk analyses ● Lack of comprehensive employee training ● Inadequate Business Associate Agreements ● Inappropriate disclosures of PHI ● Ignorance of the minimum necessary rule ● Failure to report breaches within the prescribed timeframe
OCR may refrain from imposing a significant financial penalty on a Covered Entity if the offence has not resulted in the unauthorized disclosure of PHI Accidental offences It is likely a course of “corrective action” will be required. OCR does not consider ignorance an adequate excuse for HIPAA violations
4. Who does HIPAA apply to?
Who does HIPAA apply to? ● “HIPAA Covered Entities” (Practically all health plans, healthcare clearinghouses, healthcare suppliers, endorsed sponsors of the Medicare prescription drug discount card) ● Hybrid entities (employers who use schemes such as the Employee Assistance Program (EAP) ● Business Associates - BA (entities who supply services and perform certain functions for a Covered Entities, during which they have access to PHI)
5. HIPAA Rules Explained
Enforcement Rule05 Lays out how any resulting investigations are carried out. Determines appropriate fines Omnibus Rule04 Activated HIPAA-related changes that had been part of HITECH Breach notification Rule 03 The Department of Health and Human Services must be notified if a data breach has been discovered HIPAA Privacy Rule 01 Dictates how, when and under what circumstances PHI can be disclosed. 02 Sets the minimum standards to safeguard ePHI HIPAA Security Rule
6. The Necessary and Addressable Security Measures of HIPAA
Required or addressable security measures? Practically every safeguard of HIPAA is “required” unless there is a justifiable rationale not to implement the safeguard
Example where an addressable safeguard might be not required: Email encryption Emails containing PHI only have to be encrypted if they are shared beyond a firewalled, internal server. If a healthcare group only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to adapt this addressable safeguard.
7. HIPAA Encryption Requirements
PasswordEncryption ePHI unreadable and undecipherable ▸ Data can only be read to a key or code is applied to decrypt the data. Data encryption is mentioned in the HIPAA Security Rule, but is only an addressable specification.
PasswordEncryption ▸ If the decision is taken to use encryption : The National Institute of Standards and Technology (NIST) recommends Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S / MIME. ▸ If the decision is taken not to use encryption: An alternative may be used in its place, provided it is reasonable and appropriate and provides an equivalent level of protection
8. HIPAA Password Requirements
Even though password requirements are not detailed in HIPAA, HIPAA covered entities should develop policies covering the creation of passwords and base those policies on current best practices. It is strongly recommended that healthcare organizations follow the advice of NIST when creating password policies.
Password requirements : advice of NIST ▸ A minimum of 8 characters up to 64 characters, with passphrases – memorized secrets – longer than standard passwords. ▸ No password hints storage ▸ Designed to prevent commonly used weak passwords from being set ▸ There is no need to change passwords frequently ▸ Multi-factor authentication should be implemented ▸ NIST recommends salting and hashing stored passwords using a one-way key derivation function
9. HIPAA Record Retention Requirements
HIPAA Record Retention Requirements There are no HIPAA record retention requirements as far as medical records are concerned but medical record retention requirements are covered by state laws. Data retention policies must therefore be developed accordingly. When medical records are retained, they must be kept secure at all times.
10. HIPAA Violation Reporting Requirements
HIPAA Violation Reporting ▸ Notifications must be issued to patients/health plan members and to the HHS’ Secretary within 60 days after the discovery of a breach. ▸ The individual and media notices should include a brief description of the security breach, the types of information exposed, a brief description of what is being done by the breached entity to mitigate harm and prevent future breaches ▸ A copy of the breach notices should be retained
10. Top 10 most Common HIPAA Violations
Risk Analysis Failures Failure to perform a comprehensive, organization-wide risk analysis. 1
Risk Management Failures Risk management is critical to the security of ePHI and PHI and is a fundamental requirement of the HIPAA Security Rule. 2
Lack of Encryption or Alternative Safeguards 3
Security Awareness Training Failures HIPAA requires covered entities and business associates to implement a security awareness training program for all members of the workforce. 4
Improper Disposal of PHI When PHI or ePHI is no longer required it must be disposed of securely in a manner that ensures PHI is “unreadable, indecipherable, and otherwise cannot be reconstructed.” 5
Impermissible Disclosures of PHI An impermissible disclosure of PHI is a disclosure not permitted under the HIPAA Privacy Rule. 6
Failure to Adhere to the Minimum Necessary Standard 7
Failure to Provide Patients with Copies of PHI on Request The Privacy Rule permits patients to access and obtain copies of their protected health information on request 8
Failure to Enter into A Business Associate Agreement 9
Failure to Issue Breach Notifications Promptly Breach notifications must be issued without unreasonable delay and no later than 60 days from the date of discovery of the breach. 10
11. Explaining HIPAA to Patients
The best fashion to explain HIPAA to patients is to put the relevant information in the Privacy Policy, and then give the patients a summary of what the policy contains
12. Explaining HIPAA to Staff
In order to adhere with HIPAA, organizations must compile privacy and security policies for their employees, and a sanctions policy for staff member who do not comply with the requirements. The best method of explaining HIPAA to employees is in special compliance training tutorials. Compliance training sessions should be short and often.
If you are unsure about any element of HIPAA, it is recommended you seek professional help
HIPAA FOR DUMMIES You now know everything! https://www.hipaaguide.net/hipaa-for-dummies/

Recommended

HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
Winston & Strawn LLP
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
CBIZ, Inc.
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
National Pharmacy Technician Association
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippa
maggie_Platt
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
Manny Oliverez
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 

Recommended

HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
Winston & Strawn LLP
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
CBIZ, Inc.
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
National Pharmacy Technician Association
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippa
maggie_Platt
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
Manny Oliverez
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
mariaradziminski
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
FarhatParveen10
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI Training
Hatch Compliance, Inc.
 
Hippa 2021
Hippa 2021Hippa 2021
Hippa 2021
John Reardon
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)bholmes
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
Kelly Snyder
 
Hippa
HippaHippa
Hippa
cameonicole
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
Sanjeev Bharwan
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training
MDManagement
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
DamianKnowles1
 
Privacy and confidentiality
Privacy and confidentialityPrivacy and confidentiality
Privacy and confidentiality
johnzinn
 
Healthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevHealthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevblk70130
 
Hipaa
HipaaHipaa
HipaaJason Wrench
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
darichardson
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
Basic HIPAA Training by CMU
Basic HIPAA Training by CMUBasic HIPAA Training by CMU
Basic HIPAA Training by CMU
Atlantic Training, LLC.
 
HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2
Hatch Compliance, Inc.
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
jessie66
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
Elizabeth Dimit
 

More Related Content

What's hot

HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
mariaradziminski
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
FarhatParveen10
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI Training
Hatch Compliance, Inc.
 
Hippa 2021
Hippa 2021Hippa 2021
Hippa 2021
John Reardon
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)bholmes
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
Kelly Snyder
 
Hippa
HippaHippa
Hippa
cameonicole
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
Sanjeev Bharwan
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training
MDManagement
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
DamianKnowles1
 
Privacy and confidentiality
Privacy and confidentialityPrivacy and confidentiality
Privacy and confidentiality
johnzinn
 
Healthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevHealthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevblk70130
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
darichardson
 
Basic HIPAA Training by CMU
Basic HIPAA Training by CMUBasic HIPAA Training by CMU
Basic HIPAA Training by CMU
Atlantic Training, LLC.
 
HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2
Hatch Compliance, Inc.
 

What's hot (20)

HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI Training
 
Hippa 2021
Hippa 2021Hippa 2021
Hippa 2021
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
Hippa
HippaHippa
Hippa
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
 
HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
 
Privacy and confidentiality
Privacy and confidentialityPrivacy and confidentiality
Privacy and confidentiality
 
Healthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevHealthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bev
 
Hipaa
HipaaHipaa
Hipaa
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
 
HIPAA
HIPAAHIPAA
HIPAA
 
Basic HIPAA Training by CMU
Basic HIPAA Training by CMUBasic HIPAA Training by CMU
Basic HIPAA Training by CMU
 
HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2HIPAA, PHI, & 42 CFR Part 2
HIPAA, PHI, & 42 CFR Part 2
 

Similar to HIPAA for Dummies

Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
jessie66
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
Elizabeth Dimit
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptx
MohammadBashir26
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
amartya2087
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
VistaInfosec
 
Health Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability ActHealth Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability Act
সারন দাস
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
Nisos Health
 
Mha 690 ppt hipaa for healthcare professionals
Mha 690 ppt hipaa for healthcare professionalsMha 690 ppt hipaa for healthcare professionals
Mha 690 ppt hipaa for healthcare professionals
lee5lee
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
Cynthia Holland
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
KloudLearn
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
Manas Deep
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
MarcEtienne6
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
MichaelRodriguesdosS1
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
Felipe Prado
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
Sachiko Hurst
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
cravennichole326
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
Lisa Shannon, RN, BSN, JD.
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 

Similar to HIPAA for Dummies (20)

Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptx
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
Health Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability ActHealth Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability Act
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
Mha 690 ppt hipaa for healthcare professionals
Mha 690 ppt hipaa for healthcare professionalsMha 690 ppt hipaa for healthcare professionals
Mha 690 ppt hipaa for healthcare professionals
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
 
Hipaa
HipaaHipaa
Hipaa
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 

Recently uploaded

Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
Ben Wann
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
NathanBaughman3
 
Role of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in MiningRole of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in Mining
Naaraayani Minerals Pvt.Ltd
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
dylandmeas
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
BBPMedia1
 
Filing Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed GuideFiling Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed Guide
YourLegal Accounting
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Lviv Startup Club
 
BeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdfBeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdf
DerekIwanaka1
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
Nicola Wreford-Howard
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
Safe PaaS
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
Kumar Satyam
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
seoforlegalpillers
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
RajPriye
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
my Pandit
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Navpack & Print
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
marketingjdass
 

Recently uploaded (20)

Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 
Role of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in MiningRole of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in Mining
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
 
Filing Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed GuideFiling Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed Guide
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
 
BeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdfBeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdf
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
 

HIPAA for Dummies

  • 4. The purpose ● Modernize the flow of healthcare information ● Stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft ● Address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions
  • 5. 1996: The Secretary of Health and Human Services (HSS) proposed standards that protect individual health information 1999: First set of proposed “Code Set” standards 2000: First proposals for the Privacy Rule Nowadays: The scope of the Act has been extended to cover Business Associates – third party service providers that perform a function on behalf of a HIPAA-Covered Entity that involves the use or disclosure of Protected Health Information (PHI). The Timeline
  • 6. The HIPAA regulations policies U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) State Attorney Generals Have the authority impose financial penalties on Covered Entities and Business Associates for violations of HIPAA
  • 9. We need to accommodate the advances in technology and changes to working practices
  • 10. ● HIPAA is technology-neutral ● HIPAA does not preempt state law, except in circumstances in which the state´s privacy and security regulations are weaker than those in HIPAA. OCR guidance has gone digital (Listserv application) Frequent guidance issued by OCR New HIPAA Rules Original language of HIPAA HIPAA in 2018
  • 12. Personal Identifiers ➔ 18 Personal Identifiers ➔ Could reveal the identity of a person, their medical history or payment records ➔ Most commonly known as “Protected Health Information” or “PHI” ➔ Known as “ePHI” when stored or communicated electronically
  • 13. Names or part of names Any other unique identifying characteristic Geographical identifiers Dates directly related to a person Phone number details Fax number details Details of Email addresses Social Security details Medical record numbers Health insurance beneficiary numbers Account details Certificate or license numbers Vehicle license plate details Device identifiers and serial numbers Website URLs IP address details Fingerprints, retinal and voice prints Complete face or any comparable photographic images
  • 14. Personal Identifiers Name or part of name Phone number details Geographical identifiers Details of Email addresses Dates directly related to a person Medical record numbers Certificate or license numbers Website URLs Fingerprints, retinal and voice prints IP address details Social Security details Vehicle license plate details Any other unique identifying characteristic Account details Health insurance beneficiary numbers Complete face or any comparable photographic images Device identifiers and serial numbers Fax number details
  • 15. The main takeaway for HIPAA compliance is that any company or individual that comes into contact with PHI must enact and enforce appropriate policies, procedures and safeguards to protect data.
  • 16. Violations of HIPAA often result from the following: ● Lack of adequate risk analyses ● Lack of comprehensive employee training ● Inadequate Business Associate Agreements ● Inappropriate disclosures of PHI ● Ignorance of the minimum necessary rule ● Failure to report breaches within the prescribed timeframe
  • 17. OCR may refrain from imposing a significant financial penalty on a Covered Entity if the offence has not resulted in the unauthorized disclosure of PHI Accidental offences It is likely a course of “corrective action” will be required. OCR does not consider ignorance an adequate excuse for HIPAA violations
  • 19. Who does HIPAA apply to? ● “HIPAA Covered Entities” (Practically all health plans, healthcare clearinghouses, healthcare suppliers, endorsed sponsors of the Medicare prescription drug discount card) ● Hybrid entities (employers who use schemes such as the Employee Assistance Program (EAP) ● Business Associates - BA (entities who supply services and perform certain functions for a Covered Entities, during which they have access to PHI)
  • 21. Enforcement Rule05 Lays out how any resulting investigations are carried out. Determines appropriate fines Omnibus Rule04 Activated HIPAA-related changes that had been part of HITECH Breach notification Rule 03 The Department of Health and Human Services must be notified if a data breach has been discovered HIPAA Privacy Rule 01 Dictates how, when and under what circumstances PHI can be disclosed. 02 Sets the minimum standards to safeguard ePHI HIPAA Security Rule
  • 23. Required or addressable security measures? Practically every safeguard of HIPAA is “required” unless there is a justifiable rationale not to implement the safeguard
  • 24. Example where an addressable safeguard might be not required: Email encryption Emails containing PHI only have to be encrypted if they are shared beyond a firewalled, internal server. If a healthcare group only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to adapt this addressable safeguard.
  • 26. PasswordEncryption ePHI unreadable and undecipherable ▸ Data can only be read to a key or code is applied to decrypt the data. Data encryption is mentioned in the HIPAA Security Rule, but is only an addressable specification.
  • 27. PasswordEncryption ▸ If the decision is taken to use encryption : The National Institute of Standards and Technology (NIST) recommends Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S / MIME. ▸ If the decision is taken not to use encryption: An alternative may be used in its place, provided it is reasonable and appropriate and provides an equivalent level of protection
  • 29. Even though password requirements are not detailed in HIPAA, HIPAA covered entities should develop policies covering the creation of passwords and base those policies on current best practices. It is strongly recommended that healthcare organizations follow the advice of NIST when creating password policies.
  • 30. Password requirements : advice of NIST ▸ A minimum of 8 characters up to 64 characters, with passphrases – memorized secrets – longer than standard passwords. ▸ No password hints storage ▸ Designed to prevent commonly used weak passwords from being set ▸ There is no need to change passwords frequently ▸ Multi-factor authentication should be implemented ▸ NIST recommends salting and hashing stored passwords using a one-way key derivation function
  • 32. HIPAA Record Retention Requirements There are no HIPAA record retention requirements as far as medical records are concerned but medical record retention requirements are covered by state laws. Data retention policies must therefore be developed accordingly. When medical records are retained, they must be kept secure at all times.
  • 34. HIPAA Violation Reporting ▸ Notifications must be issued to patients/health plan members and to the HHS’ Secretary within 60 days after the discovery of a breach. ▸ The individual and media notices should include a brief description of the security breach, the types of information exposed, a brief description of what is being done by the breached entity to mitigate harm and prevent future breaches ▸ A copy of the breach notices should be retained
  • 35. 10. Top 10 most Common HIPAA Violations
  • 36. Risk Analysis Failures Failure to perform a comprehensive, organization-wide risk analysis. 1
  • 37. Risk Management Failures Risk management is critical to the security of ePHI and PHI and is a fundamental requirement of the HIPAA Security Rule. 2
  • 38. Lack of Encryption or Alternative Safeguards 3
  • 39. Security Awareness Training Failures HIPAA requires covered entities and business associates to implement a security awareness training program for all members of the workforce. 4
  • 40. Improper Disposal of PHI When PHI or ePHI is no longer required it must be disposed of securely in a manner that ensures PHI is “unreadable, indecipherable, and otherwise cannot be reconstructed.” 5
  • 41. Impermissible Disclosures of PHI An impermissible disclosure of PHI is a disclosure not permitted under the HIPAA Privacy Rule. 6
  • 42. Failure to Adhere to the Minimum Necessary Standard 7
  • 43. Failure to Provide Patients with Copies of PHI on Request The Privacy Rule permits patients to access and obtain copies of their protected health information on request 8
  • 44. Failure to Enter into A Business Associate Agreement 9
  • 45. Failure to Issue Breach Notifications Promptly Breach notifications must be issued without unreasonable delay and no later than 60 days from the date of discovery of the breach. 10
  • 47. The best fashion to explain HIPAA to patients is to put the relevant information in the Privacy Policy, and then give the patients a summary of what the policy contains
  • 49. In order to adhere with HIPAA, organizations must compile privacy and security policies for their employees, and a sanctions policy for staff member who do not comply with the requirements. The best method of explaining HIPAA to employees is in special compliance training tutorials. Compliance training sessions should be short and often.
  • 50. If you are unsure about any element of HIPAA, it is recommended you seek professional help
  • 51. HIPAA FOR DUMMIES You now know everything! https://www.hipaaguide.net/hipaa-for-dummies/