National Pharmacy Technician Association, profile picture
Uploaded byNational Pharmacy Technician Association
PPT, PDF4,522 views

HIPAA Privacy & Security

The document discusses the requirements of HIPAA for protecting patient privacy and securing their health information, including mandates for training and documentation, increased penalties for violations, and rights for patients to access electronic health records; it also outlines the entities covered by HIPAA, defines protected health information, and reviews standards for its use and disclosure for treatment, payment, and healthcare operations.

Embed presentation

Downloaded 68 times
Introduction • The Health Insurance Portability and Accountability Act (HIPAA) requires all practitioners to ensure the privacy and security of patient information. The Privacy and Security rules went into effect on April 14, 2003, with stiff penalties for those who fail to comply, or who improperly disclose or misuse protected health information. • The HIPAA Privacy and Security Rules dictate that all who may come in contact with patient’s healthcare information go through a training on HIPAA policy, and that there be documentation to prove that the training has been completed. • As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards. The updates include:  Breach notification requirements  Fine and penalty increases for privacy violations  Right to request copies of the electronic health care record in electronic format  Mandates that Business Associates are civilly and criminally liable for privacy and security violations 1 of 47
Overview • In 1996, Congress enacted the Health Insurance Portability and Accountability Act, also known as HIPAA. The primary purpose of HIPAA is:  To protect people from losing their health insurance if they change jobs or have pre-existing health conditions  To reduce the costs and administrative burdens of healthcare by creating standard electronic formats for many administrative transactions that are currently carried out on paper, and  To develop standards and requirements to protect the privacy and security of confidential healthcare information. • In April, 2003, the Department of Health and Human Services issued new regulations referred to as the Privacy Rule and Security Rule. The regulations require healthcare organizations to adopt processes and procedures to ensure the highest degree of patient confidentiality. These processes include administrative, physical and technical safeguards to ensure that medical information is stored, transmitted and received in a safe and secure manner. 2 of 47
Overview Cont. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. As you can imagine, the HIPAA regulations impact virtually every department of every entity that has access to confidential health information. Hospitals, medical practices, insurance companies, medical-device manufacturers and other healthcare organizations are undergoing major changes in the way they handle patient information. The Privacy and Security Rules provide stiff penalties for those who fail to comply with the requirements or who improperly disclose or misuse protected health information (PHI). It is important that all those who may come in contact with PHI understand and carry out their responsibilities under the Rules, as outlined in this training program. 3 of 47
Covered Entities HIPAA is a broad and far-reaching law. Entities covered by the Privacy and Security Rules include healthcare plans, providers and clearinghouses. The Rule also extends to the business associates of covered entities, which include auditors, consultants, lawyers, data and billing firms, and others with whom the covered entities have agreements involving the use of protected health information. The covered entity must receive satisfactory assurances that the business associate will comply with the Privacy and Security Rules, though the covered entity need not monitor the business associate's work unless it learns of a problem with compliance. In addition, the Rules apply to any company that offers healthcare and treatment to its employees on-site. Thus, if an employer or school operate an on-site clinic, the clinic would be a covered entity, and its patient information would be subject to the Privacy and Security Rules. 4 of 47
Examples of Covered Entities 5 of 47
A person or entity which performs certain functions, activities, or services for your organization involving the use and/or disclosure of PHI, but the person or entity is not a part of your organization or its workforce. (Examples: transcription services, temporary staffing services, record copying company, home healthcare agencies, nursing homes, assisted living, rehabilitation centers etc.) Your organization is required to have agreements with business associates that protect a patient’s PHI. What is a Business Associate? 6 of 47
Entities Covered by State Law Entities Covered by State Law When covered entities use or transmit protected health information in any form, they must comply not only with the Privacy and Security Rules, but also with any State laws regarding privacy of medical records. In the event of a conflict between HIPAA and state law, HIPAA preempts state law unless the state law is more strict. (In other words, whichever provides greater protection to patients must be followed.) The terrain of state health privacy law remains uneven. While the Federal Health Privacy Rules have established some uniform minimum standards, state health privacy laws remain diverse in the rights and protections that they afford. Because the Federal Health Privacy Rules do not cover all who hold health information and do not preempt many state laws, the level of protection afforded to health information continues to vary depending on who is holding the information and the state in which they are located. 7 of 47
Covered Transactions HIPAA establishes a single set of transaction standards for electronic healthcare transactions, thus enabling healthcare providers and insurance companies to communicate more fluidly. The Privacy and Security Rules cover the following types of information transactions:  Healthcare claims (professional, institutional and dental)  Health plan eligibility inquiries and responses  Enrollment and disenrollment in a health plan  Healthcare payment and remittance advice  Health plan premium payments  Claim status inquiries and responses  Referral certification and authorization, and  Coordination of benefits. The rules also require covered entities to use special coding standards for all transactions involving electronic data interchange (EDI), including the use of "unique identifiers" for providers, health plans, employers and patients. These new coding standards are still being developed and defined by the Department of Health and Human Services. 8 of 47
Protected Health Information (PHI) The Privacy and Security Rules protect individually identifiable health information transmitted or maintained by a covered entity, no matter what form it takes. This mean that when a doctor takes notes in a medical chart, when a hospital data- entry clerk types health insurance information into a computer, or when healthcare providers discuss a patient's condition, any identifiable health information becomes protected health information (PHI) under HIPAA. Note, however, that employment records held by a covered entity in its role as an employer are not considered PHI. While many covered entities may seek to rely on practice-management software or healthcare clearinghouses as a means of ensuring HIPAA compliance for their healthcare transactions, software alone cannot provide a complete solution. Most of the work in complying with HIPAA for all covered entities is in developing and administering systems and policies that prevent the misuse of PHI in a comprehensive and consistent way. 9 of 47
• Name • Postal address • All elements of dates except year • Telephone number • Fax number • Email address • URL address • IP address • Social security number • Account numbers • License numbers Examples of PHI PHI = Health Information with Identifiers • Medical record number • Health plan beneficiary # • Device identifiers and their serial numbers • Vehicle identifiers and serial number • Biometric identifiers (finger and voice prints) • Full face photos and other comparable images • Any other unique identifying number, code, or characteristic Applies to Written and Electronic Information 10 of 47
Treatment - Payment - Healthcare Operations (TPO) 11 of 47
Notice of Privacy Practices (NPP) The Privacy Rule requires a covered entity to:  Provide patients with a Notice of Privacy Practices (NPP); and  Make a good-faith effort to obtain a patient's written acknowledgment of receiving the NPP. The NPP must inform patients of: 1. The uses and disclosures of PHI that the entity may make 2. The patient's right to access and amend their medical information, and 3. The covered entity's responsibilities with respect to PHI. Once it has obtained the acknowledgment or has made a good-faith effort to do so, the entity may:  Use PHI for its own treatment, payment or healthcare operations; and  Disclose PHI to other covered entities for their treatment, payment or certain limited healthcare operations. When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. 12 of 47
Must use or share only the minimum amount of PHI necessary, except for requests made • For treatment of the patient • By the patient, or as requested by the patient to others • To complete standardized electronic transactions, as required by HIPAA • By the Secretary of the Department of Health & Human Services (DHHS) • As required by law Covered Entities Responsibility 13 of 47
• The patient’s referring physician calls and asks for a copy of the patient’s recent exam at your organization (Treatment) • A patient’s insurance company calls and requests a copy of the patient’s medical record for a specific service date (Payment) • The Quality Improvement office calls and asks for a copy of an operative report (Health Care Operations) • Patient information may be provided for these TPO purposes Examples of TPO 14 of 47
• Unless required or permitted by law, entities must obtain written authorization from the patient to use, disclose, or access patient information. • Patient Authorization allows entities to disclose information for purposes not related to treatment, payment, or operations – For human subjects research, additional rules and training is required if your organization is involved in human subjects research. – PHI may not be accessed for human subjects research unless the Institutional Review Board (IRB) has approved the research and – BOTH Informed Consent and HIPAA Authorization have been obtained from the subject, OR the organization IRB has approved a Waiver of Informed Consent and HIPAA Authorization. For Purposes other than TPO NOTE: if you obtain or use PHI for research purposes with only an Informed Consent but without a HIPAA Authorization, it is considered an unauthorized disclosure under HIPAA 15 of 47
PHI may be used in research if appropriate authorization from research participants is obtained, or if the PHI is obtained through one of the following alternatives: • Certified De-identified data sets; • Limited data sets (when accompanied by an appropriate Data Use Agreement); • Waiver or alteration of the authorization requirement by an Institutional Review Board (IRB) or Privacy Board; • Research involving decedents’ PHI (when appropriate representations are made by the researcher to your organization that the PHI is necessary and sought solely for research on decedents); or • Reviews preparatory to research when your organization receives representations from the researcher that access to the PHI is necessary and will not be removed from your organization. • PHI may be used in research only by those individuals authorized to access the information by the person(s) responsible for the project (principal investigator, project director, project coordinator) or the department head. The person(s) responsible must protect the information from unauthorized access and must maintain and regularly update a list of staff that is authorized to have access to the PHI. Use and Disclosures of PHI for Research 16 of 47
Other Use of PHI As a general rule, a covered entity may not use or disclose protected health information for purposes other than treatment, payment and healthcare operations without the patient's written authorization. Marketing The Privacy Rule prohibits a covered entity from disclosing PHI to others for marketing purposes without the patient's written authorization. For example, a pharmacy may not provide a pharmaceutical company a list of patients with a particular disease or condition in order for the pharmaceutical company to market drugs to those patients without their authorization. 17 of 47
Other Use of PHI Cont. At the same time, communications regarding treatment, case management or the recommending of alternative therapies are excluded from the definition of "marketing," as are communications that promote health in a general manner. Thus, for example, a health-related newsletter that a covered entity distributes to patients to inform them about new healthcare developments would not be considered marketing under the Privacy Rule. Incidental Disclosures The Privacy Rule allows "incidental" disclosures of PHI, as long as the covered entity uses reasonable safeguards and adheres to the "minimum necessary" standards. For example, doctors' offices may use waiting-room sign-in sheets, hospitals may keep charts at bedside, doctors may talk to patients in semi-private rooms, and medical staff may confer at the nurse's station without violating the Privacy Rule. 18 of 47
Treat Patients’ Information as if it were your own information 19 of 47
• The right to request restriction of PHI uses & disclosures • The right to request alternative forms of communications (mail to P.O. Box, not street address; no message on answering machine, etc.) • The right to access and copy patient’s PHI • The right to an accounting of the disclosures of PHI • The right to request amendments to information Patients’ Rights 20 of 47
• Employees should not download, copy, or remove from the clinical areas any PHI, except as necessary to perform their jobs. • Upon termination of employment, or upon termination of authorization to access PHI, the employee must return copies of PHI in his or her possession. • Shred or destroy PHI before throwing it away. • Dispose of paper and other records with PHI in secured shredding bins. Recycling and Trash bins are NOT secure. • Shredding bins work best when papers are put inside the bins. When papers are left outside the bin, they are not secured from:  Daily gossip  Daily trash  The public Downloading / Copying / Removal 21 of 47
• Check printers, faxes, copier machines when you are done using them • Ensure paper charts are returned to applicable areas in nursing stations, medical records, or designated file rooms • Do not leave hard copies of PHI laying on your desk; lock it up in your desk at the end of the day • Seal envelopes well when mailing • Faxing is permitted. Always include, with the faxed information, a cover sheet containing a Confidentiality Statement • Limit manual faxing to urgent transmittals-In an emergency, faxing PHI is appropriate when the information is needed immediately for patient care • Other situations considered urgent (e.g., results from lab to physician) • Place Fax machine in a secure area Know where you left your paperwork 22 of 47
In an emergency:  Drug dependency  Alcohol dependency  Mental illness or psychological information  Sexually-transmitted disease (STD) information  HIV status Information that should not be Faxed except 23 of 47
HIPAA Security Rule Provisions 24 of 47
Administrative Safeguards Since many of us receive, store and transmit PHI as part of our day-to-day responsibilities, The Privacy Rule requires the following administrative safeguards to ensure that PHI is not compromised:  Designating a Privacy Officer to be responsible for the development and implementation of privacy policies  Providing physical safeguards to protect our computer systems and related equipment from fire, other environmental hazards and intrusion  Using technical safeguards like encryption software to transmit health information over the Internet  Requiring business associates (lawyers, consultants, auditors, billing companies, pharmacists, etc.) to confirm that they will protect PHI  Developing a system to track who accessed what information; and  Implementing rules for addressing violations of privacy, security and transaction regulations, including establishing a process for making complaints and preventing retaliation against anyone who reports a HIPAA violation. HIPAA also requires those with access to PHI to undergo periodic training on these and other appropriate privacy procedures, and to keep documented proof that these trainings have been given. 25 of 47
More Administrative Safeguards The Security Rule also requires that administrative, physical and technical safeguards are in place to prevent the improper use or disclosure of PHI. The required administrative safeguards are as follows: • Certification Review: A technical evaluation to ensure that our computer environment is secure from intrusion. • Chain of Trust Agreements: Agreements with external recipients of PHI confirming that they will protect the confidentiality of data exchanged. • Contingency Plan: A plan for responding to system emergencies, including the performance of backups, emergency-mode operations, and disaster-recovery procedures. • Policies & Procedures: Policies and procedures for the proper use of healthcare information. • Access Controls: A plan for granting different levels of access to healthcare information, including policies that determine each individual's right to access the information. • Internal Audit Procedures: An in-house review of system activity records (such as log- ins, file accesses, and security incidents). 26 of 47
More Administrative Safeguards Cont. • Personnel Security: Security checks and special training for all employees with access to sensitive information regarding the proper use and handling of PHI, and documentation to verify that the training has occurred. • Security Configuration Management: Procedures for the security of our computer systems, such as virus checking and security testing. • Security Incident Procedures: Instructions for reporting security breaches. • Security Management Process: A process to ensure that we have the proper infrastructure in place to prevent and detect security breaches. • Termination Procedures: Procedures to prevent a terminated employee from having access to confidential information. HIPAA also requires those with access to PHI to undergo periodic training on these and other appropriate security procedures, and to keep documented proof that these trainings have been given. 27 of 47
Physical Safeguards The Security Rule also requires a number of physical steps to ensure that PHI contained in computers is properly protected from fire and environmental hazards, as well as from intrusion. Physical safeguards include the following:  Security Management: Assignment of responsibility for Security management.  Media Controls: A set of procedures that govern the receipt and removal of hardware and software (such as diskettes, tapes, and personal data assistants).  Physical Access Controls: Procedures that deter intruders from accessing environments where sensitive information resides.  Equipment Controls: Security policies for bringing hardware and software into and out of offices, including policies on how to dispose of hardware and other storage media.  Guidelines on Workstation Use: Procedures describing the proper functions to be performed on computers, and how to handle sensitive information that may be displayed on computer screens. 28 of 47
Technical Safeguards Finally, the Security Rule requires certain technical safeguards for PHI, including:  Access Controls: Controls to ensure that access to sensitive information is available on a need-to-know basis, based on roles and context.  Audit Controls: Controls to record and examine system activity, helping to eliminate unnecessary access to sensitive information.  Authorization Controls: Controls for obtaining consent for the use and disclosure of health information.  Data Authentication: Controls to help ensure that health data has not been altered in an unauthorized manner.  Entity Authentication: Controls to ensure that data is sent to the intended recipient and received by the intended party. These controls include the use of password protections, PIN numbers and, when sent over public networks, encryption. 29 of 47
Technical Safeguard Cont. Sending PHI via E-mail and Fax According to the Security Rule, it is permissible to use the Internet to transmit PHI, as long as • An acceptable method of encryption is used to protect confidentiality, and • Appropriate authentication procedures are followed to ensure correct identification of the sender and receiver. Although faxes are transmitted over telephone lines, they are not considered to be "covered transactions," so they may be sent without additional security precautions. 30 of 47
A privacy breach can occur when information is: • Physically lost or stolen  Paper copies, films, tapes, electronic devices  Anytime, anywhere - even while on public transportation, crossing the street, in the building, in your office • Misdirected to others outside of your organization  Verbal messages sent to or left on the wrong voicemail or sent to or left for the wrong person  Mislabeled mail, misdirected email  Wrong fax number, wrong phone number  Placed on intranet, internet, websites, Facebook, Twitter Privacy Breach from Lost, Stolen, or Misdirected Information 31 of 47
Definition of “Breach”: An impermissible acquisition, access, use or disclosure not permitted by the HIPAA Privacy Rule Examples include:  Laptop containing PHI is stolen  Receptionist who is not authorized to access PHI looks through patient files in order to learn of a person’s treatment  Nurse gives discharge papers to the wrong individual  Billing statements containing PHI mailed or faxed to the wrong individual/entity What constitutes a Breach? 32 of 47
• Talking in public areas, talking too loudly, talking to the wrong person • Lost/stolen or improperly disposed of paper, mail, films, notebooks • Lost/stolen laptops, PDAs, cell phones, media devices (video and audio recordings) • Lost/stolen media like CDs, flash drives, memory cards • Hacking of unprotected computer systems • Email or faxes sent to the wrong address, wrong person, or wrong number • User not logging off of computer systems, allowing others to access their computer or system Examples of Privacy Breach 33 of 47
Exceptions to Breach • Unintentional acquisition, access, use or disclosure by a workforce member (“employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity”) acting under the authority of a covered entity or business associate. • Inadvertent disclosures of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized healthcare arrangement in which covered entity participates. • If a covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. Exceptions to Breach 34 of 47
If a breach has occurred, your organization will be responsible for providing notice to: • The affected individuals (without unreasonable delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach) • Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach) • Media (only required if 500 or more individuals of any one state are affected) Breach Notification Obligations 35 of 47
Breach Notification Decision Tree 36 of 47
Breaches of the policies and procedures or a patient’s confidentiality must be reported to your organization's privacy official. Please follow your organization’s policy manual for reporting procedure. What if there is a Breach of Confidentiality? 37 of 47
Internal Disciplinary Actions • Individuals who breach the policies will be subject to appropriate discipline under organization’s sanction policy. Civil/Criminal Penalties • An employee who does not protect a patient’s privacy and follow all required policies and procedures could lose his or her job. • Covered entities and individuals who violate these standards will be subject to civil and/or criminal liability. Disciplinary Actions (Sanctions) 38 of 47
Covered entities and individuals who violate these standards will be subject to civil liability Civil Penalties Tiered Civil Penalties HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million 39 of 47
HIPAA Violation Criminal Penalty An Individual who knowingly obtains or discloses individually identifiable health information in violation of HIPAA regulations Up to $50,000 and up to one-year imprisonment If wrongful conduct involves false pretenses Criminal penalties increase to $100,000 and up to five years imprisonment If the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. $250,000 and up to 10 years imprisonment HIPAA Criminal Penalties 40 of 47
You are required to: • Respond to security incidents and report them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the Information Privacy and Security Officer . • Immediately report any known or suspected privacy breaches (such as paper, conversations, suspected unauthorized or inappropriate access or use of PHI) report them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the your organization’s Information Privacy and Security Office. Reporting Security Incidents / Privacy Breaches 41 of 47
Conclusion Test/Quiz: Go To Next Slide From the patients’ point of view, ALL information is private. This includes a patient’s: Personal information Financial information Medical information Protected Health Information Information in any format: spoken, written, or electronic To wrap things up, remember that patient privacy and data security, whether paper or electronic, is a top priority for pharmacy staff. Protected Health Information refers to the data you must keep private and secure because alone or in combination, it identifies and individual patient. Patients, including you when you are a patient, have a number of rights with respect to protected health information. Patients may request copies, file a complaint, or request amendments or changes to the record. Think back over the questions and case studies and recall how often the answer could be chosen using common sense. HIPAA has many rules, but most are pretty easy to follow. 42 of 47
Active Learning Other Administrative Simplification Rules - In addition to the HIPAA Privacy, Security, and Enforcement Rules, the HIPAA Administrative Simplification Rule also includes the following rules and standards: https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA- ACA/index.html 43 of 47
References Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191 https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996 HHS published a final Privacy Rule https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html HHS published a final Security Rule https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html The HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa- rulemaking/index.html 44 of 47

More Related Content

PPTX
The Basics of HIPAA
byDamianKnowles1
 
PPT
HIPAA Compliance
byManny Oliverez
 
PPTX
HIPAA - Understanding the Basics of Compliance
byJay Hodes
 
PPS
HIPAA Basics
byKarna *
 
PPTX
Presentation hippa
bymaggie_Platt
 
PDF
A brief introduction to hipaa compliance
byPrince George
 
PPTX
Unit 6 Privacy and Data Protection 8 hr
byTushar Rajput
 
PDF
Overview on data privacy
byAmiit Keshav Naik
 
The Basics of HIPAA
byDamianKnowles1
 
HIPAA Compliance
byManny Oliverez
 
HIPAA - Understanding the Basics of Compliance
byJay Hodes
 
HIPAA Basics
byKarna *
 
Presentation hippa
bymaggie_Platt
 
A brief introduction to hipaa compliance
byPrince George
 
Unit 6 Privacy and Data Protection 8 hr
byTushar Rajput
 
Overview on data privacy
byAmiit Keshav Naik
 

What's hot

PPTX
Health Insurance and Portability and Accountability Act
byসারন দাস
 
PPTX
Hipaa overview 073118
byrobint2125
 
PPTX
HIPPA-Health Insurance Portability and Accountability Act
byHarshit Trivedi
 
PDF
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
PPTX
HIPAA
byAlanoud Alqoufi
 
PDF
Keys To HIPAA Compliance
byCBIZ, Inc.
 
PPS
HIPAA
bykgriffin62
 
PPT
HIPAA
bybelziebub
 
PPTX
HIPAA AND INFORMATION TECHNOLOGY
bymariaradziminski
 
PPTX
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
bySanjeev Bharwan
 
PPTX
Health Insurance Portability & Accountability Act (HIPAA)
byArpitha Aarushi
 
PDF
Hitech Act
byISACA New England
 
PPTX
Hipaa for business associates simple
byJose Ivan Delgado, Ph.D.
 
PPT
Hipaa
byJason Wrench
 
KEY
HIPPA Compliance
bydixibee
 
PDF
Welcome to HIPAA Training
byJonathan Montes
 
PPT
Hippa
bycameonicole
 
PPTX
Annual HIPAA Training
byCynthia Holland
 
PDF
Hipaa ppt june 6 2014
byLyndon Godsall
 
PPT
Hitech Act
byDeborah Obasogie
 
Health Insurance and Portability and Accountability Act
byসারন দাস
 
Hipaa overview 073118
byrobint2125
 
HIPPA-Health Insurance Portability and Accountability Act
byHarshit Trivedi
 
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
HIPAA
byAlanoud Alqoufi
 
Keys To HIPAA Compliance
byCBIZ, Inc.
 
HIPAA
bykgriffin62
 
HIPAA
bybelziebub
 
HIPAA AND INFORMATION TECHNOLOGY
bymariaradziminski
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
bySanjeev Bharwan
 
Health Insurance Portability & Accountability Act (HIPAA)
byArpitha Aarushi
 
Hitech Act
byISACA New England
 
Hipaa for business associates simple
byJose Ivan Delgado, Ph.D.
 
Hipaa
byJason Wrench
 
HIPPA Compliance
bydixibee
 
Welcome to HIPAA Training
byJonathan Montes
 
Hippa
bycameonicole
 
Annual HIPAA Training
byCynthia Holland
 
Hipaa ppt june 6 2014
byLyndon Godsall
 
Hitech Act
byDeborah Obasogie
 

Similar to HIPAA Privacy & Security

PPTX
What is HIPAA and How it is important to all
byNatashaDanielleHudso
 
PPT
Knowing confidentiality
byjessie66
 
POT
Week 1 discussion 2 hipaa and privacy training
byvrgill22
 
PDF
Hipaa journal com - HIPAA compliance guide
byFelipe Prado
 
PPTX
Hipaa training
byschmoikel987
 
PPT
HIPAA Audio Presentation
byLisa Shannon, RN, BSN, JD.
 
PPTX
HIPAA Complaince
byFarhatParveen10
 
PPTX
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
byKloudLearn
 
PPTX
Hippa privacy and security awareness
byCharles Taft
 
PDF
Overview of hipaa & tools for hipaa compliance
bySquare 9
 
DOCX
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
bycravennichole326
 
PPTX
Medical coding and health care data management
bymanoshmanosh4657
 
PPT
Mha 690 week one discussion ii
bybeleza1669
 
PPT
Mha 690 week one discussion ii
bybeleza1669
 
PPTX
HIPAA Training - 2011
bydarichardson
 
PPTX
Mha 690 presentation hippa
bybelle0508
 
PDF
HIPAA Guidelines a QuickStudy Laminated Reference Guide First Edition, New Ed...
byfeuzehayaad
 
PPT
HIPAA
byKarna *
 
DOCX
Introduction hippaa
byTina Peña
 
PPTX
The Health Insurance Portability and Accountability Act 
byKartheek Kein
 
What is HIPAA and How it is important to all
byNatashaDanielleHudso
 
Knowing confidentiality
byjessie66
 
Week 1 discussion 2 hipaa and privacy training
byvrgill22
 
Hipaa journal com - HIPAA compliance guide
byFelipe Prado
 
Hipaa training
byschmoikel987
 
HIPAA Audio Presentation
byLisa Shannon, RN, BSN, JD.
 
HIPAA Complaince
byFarhatParveen10
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
byKloudLearn
 
Hippa privacy and security awareness
byCharles Taft
 
Overview of hipaa & tools for hipaa compliance
bySquare 9
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
bycravennichole326
 
Medical coding and health care data management
bymanoshmanosh4657
 
Mha 690 week one discussion ii
bybeleza1669
 
Mha 690 week one discussion ii
bybeleza1669
 
HIPAA Training - 2011
bydarichardson
 
Mha 690 presentation hippa
bybelle0508
 
HIPAA Guidelines a QuickStudy Laminated Reference Guide First Edition, New Ed...
byfeuzehayaad
 
HIPAA
byKarna *
 
Introduction hippaa
byTina Peña
 
The Health Insurance Portability and Accountability Act 
byKartheek Kein
 

Recently uploaded

PDF
Learning About Hormones Before Menopause
byHummingbird Healthcare
 
PPTX
Is Surgery Right for You? Identifying Candidates for Orthognathic Procedures.
byMiami Orthodontist Group
 
PDF
Personal Trainer On Demand App Development
byV3CUBE TECHNOLABS
 
PPTX
NVHCP National Viral Hepatitis Control Programme.pptx
bySumitSharma926845
 
PPTX
ED Treatment: Causes, Lifestyle Factors, and Holistic Care
byDr. Digvijay
 
PDF
NABH Entry Level Certification – Complete Implementation & Assessment Manual.pdf
byDr Jitu Lal Meena
 
PPTX
Beginner's Yoga Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
PPTX
Menopause and Role of Physiotherapy in Women’s Health
byrutujagawande144
 
PPTX
DeLorme Techniques.he DeLorme exercise regime or DeLorme method or progressiv...
byDrTabassumAzmi1
 
PPTX
Online Meditation Teacher Training Certificate Course.pptx
byKaruna Yoga Vidya Peetham
 
PDF
The NABH Entry Level Assessment Companion – Questions, Evidence & Best Practi...
byDr Jitu Lal Meena
 
PPTX
Nipah Virus Infection prevention and control.pptx
byAyemuSaan1
 
PPTX
DIABETIC RETINOPATHY DIABETIC RETINOPATHY
byMeghna Verma
 
PDF
Signs Your Practice Needs Professional Denial Management Services
byeClaim Solution
 
PPTX
unit 6-cognitive process.pptx for bsc nursing 1st yr
bySulekhaDeshmukh
 
PPTX
MALNUTRITION IN CHILDREN presentation topics
byHafsah Muhammad
 
PPTX
Think and Grow Rich 2.0 How to future proof your career in the 4th industrial...
byArlen Meyers, MD, MBA
 
PPTX
Kidney biposy.pptx.it cover all topics and
byfaridinayat2
 
PDF
Top 10 AI Healthcare Agents to Build in 2026 | Future Healthcare AI
byGradious AI
 
PPTX
Hatha Yoga Teacher Training Course Overview.pptx
byKaruna Yoga Vidya Peetham
 
Learning About Hormones Before Menopause
byHummingbird Healthcare
 
Is Surgery Right for You? Identifying Candidates for Orthognathic Procedures.
byMiami Orthodontist Group
 
Personal Trainer On Demand App Development
byV3CUBE TECHNOLABS
 
NVHCP National Viral Hepatitis Control Programme.pptx
bySumitSharma926845
 
ED Treatment: Causes, Lifestyle Factors, and Holistic Care
byDr. Digvijay
 
NABH Entry Level Certification – Complete Implementation & Assessment Manual.pdf
byDr Jitu Lal Meena
 
Beginner's Yoga Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
Menopause and Role of Physiotherapy in Women’s Health
byrutujagawande144
 
DeLorme Techniques.he DeLorme exercise regime or DeLorme method or progressiv...
byDrTabassumAzmi1
 
Online Meditation Teacher Training Certificate Course.pptx
byKaruna Yoga Vidya Peetham
 
The NABH Entry Level Assessment Companion – Questions, Evidence & Best Practi...
byDr Jitu Lal Meena
 
Nipah Virus Infection prevention and control.pptx
byAyemuSaan1
 
DIABETIC RETINOPATHY DIABETIC RETINOPATHY
byMeghna Verma
 
Signs Your Practice Needs Professional Denial Management Services
byeClaim Solution
 
unit 6-cognitive process.pptx for bsc nursing 1st yr
bySulekhaDeshmukh
 
MALNUTRITION IN CHILDREN presentation topics
byHafsah Muhammad
 
Think and Grow Rich 2.0 How to future proof your career in the 4th industrial...
byArlen Meyers, MD, MBA
 
Kidney biposy.pptx.it cover all topics and
byfaridinayat2
 
Top 10 AI Healthcare Agents to Build in 2026 | Future Healthcare AI
byGradious AI
 
Hatha Yoga Teacher Training Course Overview.pptx
byKaruna Yoga Vidya Peetham
 

HIPAA Privacy & Security

  • 1.
    Introduction • The HealthInsurance Portability and Accountability Act (HIPAA) requires all practitioners to ensure the privacy and security of patient information. The Privacy and Security rules went into effect on April 14, 2003, with stiff penalties for those who fail to comply, or who improperly disclose or misuse protected health information. • The HIPAA Privacy and Security Rules dictate that all who may come in contact with patient’s healthcare information go through a training on HIPAA policy, and that there be documentation to prove that the training has been completed. • As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards. The updates include:  Breach notification requirements  Fine and penalty increases for privacy violations  Right to request copies of the electronic health care record in electronic format  Mandates that Business Associates are civilly and criminally liable for privacy and security violations 1 of 47
  • 2.
    Overview • In 1996,Congress enacted the Health Insurance Portability and Accountability Act, also known as HIPAA. The primary purpose of HIPAA is:  To protect people from losing their health insurance if they change jobs or have pre-existing health conditions  To reduce the costs and administrative burdens of healthcare by creating standard electronic formats for many administrative transactions that are currently carried out on paper, and  To develop standards and requirements to protect the privacy and security of confidential healthcare information. • In April, 2003, the Department of Health and Human Services issued new regulations referred to as the Privacy Rule and Security Rule. The regulations require healthcare organizations to adopt processes and procedures to ensure the highest degree of patient confidentiality. These processes include administrative, physical and technical safeguards to ensure that medical information is stored, transmitted and received in a safe and secure manner. 2 of 47
  • 3.
    Overview Cont. The HealthInformation Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. As you can imagine, the HIPAA regulations impact virtually every department of every entity that has access to confidential health information. Hospitals, medical practices, insurance companies, medical-device manufacturers and other healthcare organizations are undergoing major changes in the way they handle patient information. The Privacy and Security Rules provide stiff penalties for those who fail to comply with the requirements or who improperly disclose or misuse protected health information (PHI). It is important that all those who may come in contact with PHI understand and carry out their responsibilities under the Rules, as outlined in this training program. 3 of 47
  • 4.
    Covered Entities HIPAA isa broad and far-reaching law. Entities covered by the Privacy and Security Rules include healthcare plans, providers and clearinghouses. The Rule also extends to the business associates of covered entities, which include auditors, consultants, lawyers, data and billing firms, and others with whom the covered entities have agreements involving the use of protected health information. The covered entity must receive satisfactory assurances that the business associate will comply with the Privacy and Security Rules, though the covered entity need not monitor the business associate's work unless it learns of a problem with compliance. In addition, the Rules apply to any company that offers healthcare and treatment to its employees on-site. Thus, if an employer or school operate an on-site clinic, the clinic would be a covered entity, and its patient information would be subject to the Privacy and Security Rules. 4 of 47
  • 5.
    Examples of CoveredEntities 5 of 47
  • 6.
    A person orentity which performs certain functions, activities, or services for your organization involving the use and/or disclosure of PHI, but the person or entity is not a part of your organization or its workforce. (Examples: transcription services, temporary staffing services, record copying company, home healthcare agencies, nursing homes, assisted living, rehabilitation centers etc.) Your organization is required to have agreements with business associates that protect a patient’s PHI. What is a Business Associate? 6 of 47
  • 7.
    Entities Covered byState Law Entities Covered by State Law When covered entities use or transmit protected health information in any form, they must comply not only with the Privacy and Security Rules, but also with any State laws regarding privacy of medical records. In the event of a conflict between HIPAA and state law, HIPAA preempts state law unless the state law is more strict. (In other words, whichever provides greater protection to patients must be followed.) The terrain of state health privacy law remains uneven. While the Federal Health Privacy Rules have established some uniform minimum standards, state health privacy laws remain diverse in the rights and protections that they afford. Because the Federal Health Privacy Rules do not cover all who hold health information and do not preempt many state laws, the level of protection afforded to health information continues to vary depending on who is holding the information and the state in which they are located. 7 of 47
  • 8.
    Covered Transactions HIPAA establishesa single set of transaction standards for electronic healthcare transactions, thus enabling healthcare providers and insurance companies to communicate more fluidly. The Privacy and Security Rules cover the following types of information transactions:  Healthcare claims (professional, institutional and dental)  Health plan eligibility inquiries and responses  Enrollment and disenrollment in a health plan  Healthcare payment and remittance advice  Health plan premium payments  Claim status inquiries and responses  Referral certification and authorization, and  Coordination of benefits. The rules also require covered entities to use special coding standards for all transactions involving electronic data interchange (EDI), including the use of "unique identifiers" for providers, health plans, employers and patients. These new coding standards are still being developed and defined by the Department of Health and Human Services. 8 of 47
  • 9.
    Protected Health Information(PHI) The Privacy and Security Rules protect individually identifiable health information transmitted or maintained by a covered entity, no matter what form it takes. This mean that when a doctor takes notes in a medical chart, when a hospital data- entry clerk types health insurance information into a computer, or when healthcare providers discuss a patient's condition, any identifiable health information becomes protected health information (PHI) under HIPAA. Note, however, that employment records held by a covered entity in its role as an employer are not considered PHI. While many covered entities may seek to rely on practice-management software or healthcare clearinghouses as a means of ensuring HIPAA compliance for their healthcare transactions, software alone cannot provide a complete solution. Most of the work in complying with HIPAA for all covered entities is in developing and administering systems and policies that prevent the misuse of PHI in a comprehensive and consistent way. 9 of 47
  • 10.
    • Name • Postaladdress • All elements of dates except year • Telephone number • Fax number • Email address • URL address • IP address • Social security number • Account numbers • License numbers Examples of PHI PHI = Health Information with Identifiers • Medical record number • Health plan beneficiary # • Device identifiers and their serial numbers • Vehicle identifiers and serial number • Biometric identifiers (finger and voice prints) • Full face photos and other comparable images • Any other unique identifying number, code, or characteristic Applies to Written and Electronic Information 10 of 47
  • 11.
    Treatment - Payment- Healthcare Operations (TPO) 11 of 47
  • 12.
    Notice of PrivacyPractices (NPP) The Privacy Rule requires a covered entity to:  Provide patients with a Notice of Privacy Practices (NPP); and  Make a good-faith effort to obtain a patient's written acknowledgment of receiving the NPP. The NPP must inform patients of: 1. The uses and disclosures of PHI that the entity may make 2. The patient's right to access and amend their medical information, and 3. The covered entity's responsibilities with respect to PHI. Once it has obtained the acknowledgment or has made a good-faith effort to do so, the entity may:  Use PHI for its own treatment, payment or healthcare operations; and  Disclose PHI to other covered entities for their treatment, payment or certain limited healthcare operations. When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. 12 of 47
  • 13.
    Must use orshare only the minimum amount of PHI necessary, except for requests made • For treatment of the patient • By the patient, or as requested by the patient to others • To complete standardized electronic transactions, as required by HIPAA • By the Secretary of the Department of Health & Human Services (DHHS) • As required by law Covered Entities Responsibility 13 of 47
  • 14.
    • The patient’sreferring physician calls and asks for a copy of the patient’s recent exam at your organization (Treatment) • A patient’s insurance company calls and requests a copy of the patient’s medical record for a specific service date (Payment) • The Quality Improvement office calls and asks for a copy of an operative report (Health Care Operations) • Patient information may be provided for these TPO purposes Examples of TPO 14 of 47
  • 15.
    • Unless requiredor permitted by law, entities must obtain written authorization from the patient to use, disclose, or access patient information. • Patient Authorization allows entities to disclose information for purposes not related to treatment, payment, or operations – For human subjects research, additional rules and training is required if your organization is involved in human subjects research. – PHI may not be accessed for human subjects research unless the Institutional Review Board (IRB) has approved the research and – BOTH Informed Consent and HIPAA Authorization have been obtained from the subject, OR the organization IRB has approved a Waiver of Informed Consent and HIPAA Authorization. For Purposes other than TPO NOTE: if you obtain or use PHI for research purposes with only an Informed Consent but without a HIPAA Authorization, it is considered an unauthorized disclosure under HIPAA 15 of 47
  • 16.
    PHI may beused in research if appropriate authorization from research participants is obtained, or if the PHI is obtained through one of the following alternatives: • Certified De-identified data sets; • Limited data sets (when accompanied by an appropriate Data Use Agreement); • Waiver or alteration of the authorization requirement by an Institutional Review Board (IRB) or Privacy Board; • Research involving decedents’ PHI (when appropriate representations are made by the researcher to your organization that the PHI is necessary and sought solely for research on decedents); or • Reviews preparatory to research when your organization receives representations from the researcher that access to the PHI is necessary and will not be removed from your organization. • PHI may be used in research only by those individuals authorized to access the information by the person(s) responsible for the project (principal investigator, project director, project coordinator) or the department head. The person(s) responsible must protect the information from unauthorized access and must maintain and regularly update a list of staff that is authorized to have access to the PHI. Use and Disclosures of PHI for Research 16 of 47
  • 17.
    Other Use ofPHI As a general rule, a covered entity may not use or disclose protected health information for purposes other than treatment, payment and healthcare operations without the patient's written authorization. Marketing The Privacy Rule prohibits a covered entity from disclosing PHI to others for marketing purposes without the patient's written authorization. For example, a pharmacy may not provide a pharmaceutical company a list of patients with a particular disease or condition in order for the pharmaceutical company to market drugs to those patients without their authorization. 17 of 47
  • 18.
    Other Use ofPHI Cont. At the same time, communications regarding treatment, case management or the recommending of alternative therapies are excluded from the definition of "marketing," as are communications that promote health in a general manner. Thus, for example, a health-related newsletter that a covered entity distributes to patients to inform them about new healthcare developments would not be considered marketing under the Privacy Rule. Incidental Disclosures The Privacy Rule allows "incidental" disclosures of PHI, as long as the covered entity uses reasonable safeguards and adheres to the "minimum necessary" standards. For example, doctors' offices may use waiting-room sign-in sheets, hospitals may keep charts at bedside, doctors may talk to patients in semi-private rooms, and medical staff may confer at the nurse's station without violating the Privacy Rule. 18 of 47
  • 19.
    Treat Patients’ Informationas if it were your own information 19 of 47
  • 20.
    • The rightto request restriction of PHI uses & disclosures • The right to request alternative forms of communications (mail to P.O. Box, not street address; no message on answering machine, etc.) • The right to access and copy patient’s PHI • The right to an accounting of the disclosures of PHI • The right to request amendments to information Patients’ Rights 20 of 47
  • 21.
    • Employees shouldnot download, copy, or remove from the clinical areas any PHI, except as necessary to perform their jobs. • Upon termination of employment, or upon termination of authorization to access PHI, the employee must return copies of PHI in his or her possession. • Shred or destroy PHI before throwing it away. • Dispose of paper and other records with PHI in secured shredding bins. Recycling and Trash bins are NOT secure. • Shredding bins work best when papers are put inside the bins. When papers are left outside the bin, they are not secured from:  Daily gossip  Daily trash  The public Downloading / Copying / Removal 21 of 47
  • 22.
    • Check printers,faxes, copier machines when you are done using them • Ensure paper charts are returned to applicable areas in nursing stations, medical records, or designated file rooms • Do not leave hard copies of PHI laying on your desk; lock it up in your desk at the end of the day • Seal envelopes well when mailing • Faxing is permitted. Always include, with the faxed information, a cover sheet containing a Confidentiality Statement • Limit manual faxing to urgent transmittals-In an emergency, faxing PHI is appropriate when the information is needed immediately for patient care • Other situations considered urgent (e.g., results from lab to physician) • Place Fax machine in a secure area Know where you left your paperwork 22 of 47
  • 23.
    In an emergency: Drug dependency  Alcohol dependency  Mental illness or psychological information  Sexually-transmitted disease (STD) information  HIV status Information that should not be Faxed except 23 of 47
  • 24.
    HIPAA Security RuleProvisions 24 of 47
  • 25.
    Administrative Safeguards Since manyof us receive, store and transmit PHI as part of our day-to-day responsibilities, The Privacy Rule requires the following administrative safeguards to ensure that PHI is not compromised:  Designating a Privacy Officer to be responsible for the development and implementation of privacy policies  Providing physical safeguards to protect our computer systems and related equipment from fire, other environmental hazards and intrusion  Using technical safeguards like encryption software to transmit health information over the Internet  Requiring business associates (lawyers, consultants, auditors, billing companies, pharmacists, etc.) to confirm that they will protect PHI  Developing a system to track who accessed what information; and  Implementing rules for addressing violations of privacy, security and transaction regulations, including establishing a process for making complaints and preventing retaliation against anyone who reports a HIPAA violation. HIPAA also requires those with access to PHI to undergo periodic training on these and other appropriate privacy procedures, and to keep documented proof that these trainings have been given. 25 of 47
  • 26.
    More Administrative Safeguards TheSecurity Rule also requires that administrative, physical and technical safeguards are in place to prevent the improper use or disclosure of PHI. The required administrative safeguards are as follows: • Certification Review: A technical evaluation to ensure that our computer environment is secure from intrusion. • Chain of Trust Agreements: Agreements with external recipients of PHI confirming that they will protect the confidentiality of data exchanged. • Contingency Plan: A plan for responding to system emergencies, including the performance of backups, emergency-mode operations, and disaster-recovery procedures. • Policies & Procedures: Policies and procedures for the proper use of healthcare information. • Access Controls: A plan for granting different levels of access to healthcare information, including policies that determine each individual's right to access the information. • Internal Audit Procedures: An in-house review of system activity records (such as log- ins, file accesses, and security incidents). 26 of 47
  • 27.
    More Administrative SafeguardsCont. • Personnel Security: Security checks and special training for all employees with access to sensitive information regarding the proper use and handling of PHI, and documentation to verify that the training has occurred. • Security Configuration Management: Procedures for the security of our computer systems, such as virus checking and security testing. • Security Incident Procedures: Instructions for reporting security breaches. • Security Management Process: A process to ensure that we have the proper infrastructure in place to prevent and detect security breaches. • Termination Procedures: Procedures to prevent a terminated employee from having access to confidential information. HIPAA also requires those with access to PHI to undergo periodic training on these and other appropriate security procedures, and to keep documented proof that these trainings have been given. 27 of 47
  • 28.
    Physical Safeguards The SecurityRule also requires a number of physical steps to ensure that PHI contained in computers is properly protected from fire and environmental hazards, as well as from intrusion. Physical safeguards include the following:  Security Management: Assignment of responsibility for Security management.  Media Controls: A set of procedures that govern the receipt and removal of hardware and software (such as diskettes, tapes, and personal data assistants).  Physical Access Controls: Procedures that deter intruders from accessing environments where sensitive information resides.  Equipment Controls: Security policies for bringing hardware and software into and out of offices, including policies on how to dispose of hardware and other storage media.  Guidelines on Workstation Use: Procedures describing the proper functions to be performed on computers, and how to handle sensitive information that may be displayed on computer screens. 28 of 47
  • 29.
    Technical Safeguards Finally, theSecurity Rule requires certain technical safeguards for PHI, including:  Access Controls: Controls to ensure that access to sensitive information is available on a need-to-know basis, based on roles and context.  Audit Controls: Controls to record and examine system activity, helping to eliminate unnecessary access to sensitive information.  Authorization Controls: Controls for obtaining consent for the use and disclosure of health information.  Data Authentication: Controls to help ensure that health data has not been altered in an unauthorized manner.  Entity Authentication: Controls to ensure that data is sent to the intended recipient and received by the intended party. These controls include the use of password protections, PIN numbers and, when sent over public networks, encryption. 29 of 47
  • 30.
    Technical Safeguard Cont. SendingPHI via E-mail and Fax According to the Security Rule, it is permissible to use the Internet to transmit PHI, as long as • An acceptable method of encryption is used to protect confidentiality, and • Appropriate authentication procedures are followed to ensure correct identification of the sender and receiver. Although faxes are transmitted over telephone lines, they are not considered to be "covered transactions," so they may be sent without additional security precautions. 30 of 47
  • 31.
    A privacy breachcan occur when information is: • Physically lost or stolen  Paper copies, films, tapes, electronic devices  Anytime, anywhere - even while on public transportation, crossing the street, in the building, in your office • Misdirected to others outside of your organization  Verbal messages sent to or left on the wrong voicemail or sent to or left for the wrong person  Mislabeled mail, misdirected email  Wrong fax number, wrong phone number  Placed on intranet, internet, websites, Facebook, Twitter Privacy Breach from Lost, Stolen, or Misdirected Information 31 of 47
  • 32.
    Definition of “Breach”:An impermissible acquisition, access, use or disclosure not permitted by the HIPAA Privacy Rule Examples include:  Laptop containing PHI is stolen  Receptionist who is not authorized to access PHI looks through patient files in order to learn of a person’s treatment  Nurse gives discharge papers to the wrong individual  Billing statements containing PHI mailed or faxed to the wrong individual/entity What constitutes a Breach? 32 of 47
  • 33.
    • Talking inpublic areas, talking too loudly, talking to the wrong person • Lost/stolen or improperly disposed of paper, mail, films, notebooks • Lost/stolen laptops, PDAs, cell phones, media devices (video and audio recordings) • Lost/stolen media like CDs, flash drives, memory cards • Hacking of unprotected computer systems • Email or faxes sent to the wrong address, wrong person, or wrong number • User not logging off of computer systems, allowing others to access their computer or system Examples of Privacy Breach 33 of 47
  • 34.
    Exceptions to Breach •Unintentional acquisition, access, use or disclosure by a workforce member (“employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity”) acting under the authority of a covered entity or business associate. • Inadvertent disclosures of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized healthcare arrangement in which covered entity participates. • If a covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. Exceptions to Breach 34 of 47
  • 35.
    If a breachhas occurred, your organization will be responsible for providing notice to: • The affected individuals (without unreasonable delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach) • Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach) • Media (only required if 500 or more individuals of any one state are affected) Breach Notification Obligations 35 of 47
  • 36.
  • 37.
    Breaches of thepolicies and procedures or a patient’s confidentiality must be reported to your organization's privacy official. Please follow your organization’s policy manual for reporting procedure. What if there is a Breach of Confidentiality? 37 of 47
  • 38.
    Internal Disciplinary Actions •Individuals who breach the policies will be subject to appropriate discipline under organization’s sanction policy. Civil/Criminal Penalties • An employee who does not protect a patient’s privacy and follow all required policies and procedures could lose his or her job. • Covered entities and individuals who violate these standards will be subject to civil and/or criminal liability. Disciplinary Actions (Sanctions) 38 of 47
  • 39.
    Covered entities andindividuals who violate these standards will be subject to civil liability Civil Penalties Tiered Civil Penalties HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million 39 of 47
  • 40.
    HIPAA Violation CriminalPenalty An Individual who knowingly obtains or discloses individually identifiable health information in violation of HIPAA regulations Up to $50,000 and up to one-year imprisonment If wrongful conduct involves false pretenses Criminal penalties increase to $100,000 and up to five years imprisonment If the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. $250,000 and up to 10 years imprisonment HIPAA Criminal Penalties 40 of 47
  • 41.
    You are requiredto: • Respond to security incidents and report them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the Information Privacy and Security Officer . • Immediately report any known or suspected privacy breaches (such as paper, conversations, suspected unauthorized or inappropriate access or use of PHI) report them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the your organization’s Information Privacy and Security Office. Reporting Security Incidents / Privacy Breaches 41 of 47
  • 42.
    Conclusion Test/Quiz: Go ToNext Slide From the patients’ point of view, ALL information is private. This includes a patient’s: Personal information Financial information Medical information Protected Health Information Information in any format: spoken, written, or electronic To wrap things up, remember that patient privacy and data security, whether paper or electronic, is a top priority for pharmacy staff. Protected Health Information refers to the data you must keep private and secure because alone or in combination, it identifies and individual patient. Patients, including you when you are a patient, have a number of rights with respect to protected health information. Patients may request copies, file a complaint, or request amendments or changes to the record. Think back over the questions and case studies and recall how often the answer could be chosen using common sense. HIPAA has many rules, but most are pretty easy to follow. 42 of 47
  • 43.
    Active Learning Other AdministrativeSimplification Rules - In addition to the HIPAA Privacy, Security, and Enforcement Rules, the HIPAA Administrative Simplification Rule also includes the following rules and standards: https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA- ACA/index.html 43 of 47
  • 44.
    References Health Insurance Portabilityand Accountability Act of 1996 (HIPAA), Public Law 104-191 https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996 HHS published a final Privacy Rule https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html HHS published a final Security Rule https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html The HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa- rulemaking/index.html 44 of 47

Editor's Notes