The document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. It defines key terms like protected health information (PHI), covered entities, and business associates. It describes HIPAA regulations around the privacy of PHI, including the minimum necessary rule, authorizations required for disclosure, and the notice of privacy practices. It also outlines HIPAA security rules, including administrative, physical, and technical safeguards covered entities must implement to secure electronic PHI (ePHI). Breaches of PHI are also discussed, along with examples of companies that have faced fines for HIPAA violations.
The Health Insurance Portability and Accountability Act Kartheek Kein
HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification.
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
ControlCase HIPAA Compliance as a Service (CaaS)
is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.
HIPAA Compliance For Small Practices: According to the American Health Information Management System (AHIMA), an average of 150 people from nursing staff to x-ray technicians, to billing clerks, have access to patient’s medical records during the course of typical hospitalization.
The Health Insurance Portability and Accountability Act Kartheek Kein
HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification.
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
ControlCase HIPAA Compliance as a Service (CaaS)
is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.
HIPAA Compliance For Small Practices: According to the American Health Information Management System (AHIMA), an average of 150 people from nursing staff to x-ray technicians, to billing clerks, have access to patient’s medical records during the course of typical hospitalization.
Agenda
• Discuss how to handle patient communications
• Explain the issues involved with using Social Media
• Discuss how Social Media can work under HIPAA
• Identify guidance from HHS on patient communications
• Show what’s needed in a Social Media Policy
• Show the process that must be used in the event of breach
• Preparing for enforcement and auditing
• Learn how to approach compliance
What many physicians don't realize is that the Security Rule applies to both EHR and non-EHR practices — and failure to comply can be extremely costly and time-consuming!
In this presentation, you will learn:
+ What the HIPAA Security Rule encompasses
+ Why it's imperative for all practices — even those not utilizing electronic health records — to comply
+ Security risks your EHR may pose
+ Valuable suggestions to mitigate risks
+ Steps to take in the event of a security breach
The information in this program should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.
WANT MORE ADVICE ON HOW TO ENSURE HIPAA COMPLIANCE (plus a helpful checklist)?
Download our free HIPAA Compliance Action Guide for Physicians: http://bit.ly/1LjDQ5K
VISIT OUR WEBSITE
http://www.cappphysicians.com
LET'S CONNECT
Twitter: http://www.twitter.com/CAPphysicians
LinkedIn: http://www.linkedin.com/company/cooperative-of-american-physicians-inc-
Facebook: http://www.facebook.com/CooperativeofAmericanPhysiciansInc
Google+: http://www.google.com/+Capphysicians
YouTube: http://youtube.com/CAPphysicians
HIPAA Training: Privacy Review and Audit Survival Guidebenefitexpress
HIPAA Privacy Overview for Employers. Review a helpful checklist of requirements an employer must adopt to stay compliant with HIPAA and to survive an audit by Health and Human Services (HHS).
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
This presentation is regarding the rules in hipaa that are implemented by HHS followed by information regarding PHI(protected health information) and MNS(minimum necessary standards)in hipaa ; and how hipaa regulations followed during clinical trials
Agenda
• Discuss how to handle patient communications
• Explain the issues involved with using Social Media
• Discuss how Social Media can work under HIPAA
• Identify guidance from HHS on patient communications
• Show what’s needed in a Social Media Policy
• Show the process that must be used in the event of breach
• Preparing for enforcement and auditing
• Learn how to approach compliance
What many physicians don't realize is that the Security Rule applies to both EHR and non-EHR practices — and failure to comply can be extremely costly and time-consuming!
In this presentation, you will learn:
+ What the HIPAA Security Rule encompasses
+ Why it's imperative for all practices — even those not utilizing electronic health records — to comply
+ Security risks your EHR may pose
+ Valuable suggestions to mitigate risks
+ Steps to take in the event of a security breach
The information in this program should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.
WANT MORE ADVICE ON HOW TO ENSURE HIPAA COMPLIANCE (plus a helpful checklist)?
Download our free HIPAA Compliance Action Guide for Physicians: http://bit.ly/1LjDQ5K
VISIT OUR WEBSITE
http://www.cappphysicians.com
LET'S CONNECT
Twitter: http://www.twitter.com/CAPphysicians
LinkedIn: http://www.linkedin.com/company/cooperative-of-american-physicians-inc-
Facebook: http://www.facebook.com/CooperativeofAmericanPhysiciansInc
Google+: http://www.google.com/+Capphysicians
YouTube: http://youtube.com/CAPphysicians
HIPAA Training: Privacy Review and Audit Survival Guidebenefitexpress
HIPAA Privacy Overview for Employers. Review a helpful checklist of requirements an employer must adopt to stay compliant with HIPAA and to survive an audit by Health and Human Services (HHS).
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
This presentation is regarding the rules in hipaa that are implemented by HHS followed by information regarding PHI(protected health information) and MNS(minimum necessary standards)in hipaa ; and how hipaa regulations followed during clinical trials
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)
Health Insurance Portability & Accountability Act (HIPAA)Arpitha Aarushi
This presentation contains all the information about the HIPAA, the Privacy rule and its clinical significance. It also contains the information about the violation of the HIPAA policy.
There are real life consequences for organizations that do not integrate privacy and security throughout the continuum of HIT adoption, including health information breaches that could result in identity theft, financial loss and even altered records that can impact patient safety. Joy Pritts, Chief Privacy Officer at the Office of the National Coordinator for Health IT, whose office is directly engaged with these issues, will lead an interactive keynote discussion on ways to build a culture of privacy and security in healthcare organizations.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
How to avoid being caught out by HIPAA compliance?Lepide USA Inc
The HIPAA Security compliance signifies good business practices. With greater values resulting from the compliance, Covered Entities will be well-served to adhere to and adopt the comprehensive IT principles it encompasses. LepideAuditor Suite can help you in HIPAA compliance for ePHI.
HIPAA and FDCPA Compliance for Process ServersLawgical
Process servers may not realize the effects HIPAA and FDCPA can have on their businesses. This slideshow, put together by Steve Glenn (PSACO President and NAPPS 1st Vice President) outlines the ways in which process servers are affected.
micro teaching on communication m.sc nursing.pdfAnurag Sharma
Microteaching is a unique model of practice teaching. It is a viable instrument for the. desired change in the teaching behavior or the behavior potential which, in specified types of real. classroom situations, tends to facilitate the achievement of specified types of objectives.
Basavarajeeyam is a Sreshta Sangraha grantha (Compiled book ), written by Neelkanta kotturu Basavaraja Virachita. It contains 25 Prakaranas, First 24 Chapters related to Rogas& 25th to Rasadravyas.
CDSCO and Phamacovigilance {Regulatory body in India}NEHA GUPTA
The Central Drugs Standard Control Organization (CDSCO) is India's national regulatory body for pharmaceuticals and medical devices. Operating under the Directorate General of Health Services, Ministry of Health & Family Welfare, Government of India, the CDSCO is responsible for approving new drugs, conducting clinical trials, setting standards for drugs, controlling the quality of imported drugs, and coordinating the activities of State Drug Control Organizations by providing expert advice.
Pharmacovigilance, on the other hand, is the science and activities related to the detection, assessment, understanding, and prevention of adverse effects or any other drug-related problems. The primary aim of pharmacovigilance is to ensure the safety and efficacy of medicines, thereby protecting public health.
In India, pharmacovigilance activities are monitored by the Pharmacovigilance Programme of India (PvPI), which works closely with CDSCO to collect, analyze, and act upon data regarding adverse drug reactions (ADRs). Together, they play a critical role in ensuring that the benefits of drugs outweigh their risks, maintaining high standards of patient safety, and promoting the rational use of medicines.
Knee anatomy and clinical tests 2024.pdfvimalpl1234
This includes all relevant anatomy and clinical tests compiled from standard textbooks, Campbell,netter etc..It is comprehensive and best suited for orthopaedicians and orthopaedic residents.
These simplified slides by Dr. Sidra Arshad present an overview of the non-respiratory functions of the respiratory tract.
Learning objectives:
1. Enlist the non-respiratory functions of the respiratory tract
2. Briefly explain how these functions are carried out
3. Discuss the significance of dead space
4. Differentiate between minute ventilation and alveolar ventilation
5. Describe the cough and sneeze reflexes
Study Resources:
1. Chapter 39, Guyton and Hall Textbook of Medical Physiology, 14th edition
2. Chapter 34, Ganong’s Review of Medical Physiology, 26th edition
3. Chapter 17, Human Physiology by Lauralee Sherwood, 9th edition
4. Non-respiratory functions of the lungs https://academic.oup.com/bjaed/article/13/3/98/278874
Explore natural remedies for syphilis treatment in Singapore. Discover alternative therapies, herbal remedies, and lifestyle changes that may complement conventional treatments. Learn about holistic approaches to managing syphilis symptoms and supporting overall health.
New Drug Discovery and Development .....NEHA GUPTA
The "New Drug Discovery and Development" process involves the identification, design, testing, and manufacturing of novel pharmaceutical compounds with the aim of introducing new and improved treatments for various medical conditions. This comprehensive endeavor encompasses various stages, including target identification, preclinical studies, clinical trials, regulatory approval, and post-market surveillance. It involves multidisciplinary collaboration among scientists, researchers, clinicians, regulatory experts, and pharmaceutical companies to bring innovative therapies to market and address unmet medical needs.
Flu Vaccine Alert in Bangalore Karnatakaaddon Scans
As flu season approaches, health officials in Bangalore, Karnataka, are urging residents to get their flu vaccinations. The seasonal flu, while common, can lead to severe health complications, particularly for vulnerable populations such as young children, the elderly, and those with underlying health conditions.
Dr. Vidisha Kumari, a leading epidemiologist in Bangalore, emphasizes the importance of getting vaccinated. "The flu vaccine is our best defense against the influenza virus. It not only protects individuals but also helps prevent the spread of the virus in our communities," he says.
This year, the flu season is expected to coincide with a potential increase in other respiratory illnesses. The Karnataka Health Department has launched an awareness campaign highlighting the significance of flu vaccinations. They have set up multiple vaccination centers across Bangalore, making it convenient for residents to receive their shots.
To encourage widespread vaccination, the government is also collaborating with local schools, workplaces, and community centers to facilitate vaccination drives. Special attention is being given to ensuring that the vaccine is accessible to all, including marginalized communities who may have limited access to healthcare.
Residents are reminded that the flu vaccine is safe and effective. Common side effects are mild and may include soreness at the injection site, mild fever, or muscle aches. These side effects are generally short-lived and far less severe than the flu itself.
Healthcare providers are also stressing the importance of continuing COVID-19 precautions. Wearing masks, practicing good hand hygiene, and maintaining social distancing are still crucial, especially in crowded places.
Protect yourself and your loved ones by getting vaccinated. Together, we can help keep Bangalore healthy and safe this flu season. For more information on vaccination centers and schedules, residents can visit the Karnataka Health Department’s official website or follow their social media pages.
Stay informed, stay safe, and get your flu shot today!
NVBDCP.pptx Nation vector borne disease control programSapna Thakur
NVBDCP was launched in 2003-2004 . Vector-Borne Disease: Disease that results from an infection transmitted to humans and other animals by blood-feeding arthropods, such as mosquitoes, ticks, and fleas. Examples of vector-borne diseases include Dengue fever, West Nile Virus, Lyme disease, and malaria.
2. HIPAA Background
• 1996. Health Insurance Portability and Accountability Act (HIPAA), Public
Law 104-191.
– Department of Health and Human Services (HHS) adopts national standards for
electronic health care transactions and code sets, unique health identifiers, and security.
• 2009. Health Information Technology for Economic and Clinical Health Act
(HITECH) enacted as part of the American Recovery and Reinvestment Act
of 2009 (ARRA).
• 2010. Patient Protection and Affordable Care Act of 2010 (ACA).
• 2013. HIPAA Omnibus Rule makes changes to existing privacy, security and
breach notification requirements.
2
3. HIPAA Regulations
• CFR 45 PART 160: General administrative requirements
• CFR 45 PART 162: Administrative requirements
• CFR 45 PART 164: Security and privacy rules
3
5. Business Associate
• Business Associate includes the partners that may provide
legal, actuarial, accounting, consulting, data aggregation,
management, administration or financial services wherein the
services require the disclosure of individually identifiable
health information.
• A key concern, among many, is that some software vendors
almost certainly will be categorized as Business Associates.
5
6. Covered Entity & Electronic Media
• Covered Entity means:
– A health plan
– A health care clearinghouse
– A health care provider who transmits any health information in electronic
form in connection with a transaction covered by this subchapter.
• Electronic media means:
– Electronic storage material on which data is or may be recorded electronically.
– Transmission media used to exchange information already in electronic
storage media.
6
7. Health Care & Health Care Provider
& Health information
• Health care means:
– Care, services, or supplies related to the health of an individual.
• Health care provider means:
– A provider of medical or health services, and any other person or organization
who furnishes, bills, or is paid for health care in the normal course of business.
• Health information means:
– Any information, whether oral or recorded in any form or medium.
7
8. Individual &
Individually Identifiable Health Information &
Protected Health Information (PHI)
• Individual means:
– The person who is the subject of protected health information.
• Individually identifiable health information that
– Identifies the individual
– Or with respect to which there is a reasonable basis to believe the information
can be used to identify the individual.
• Protected health information means:
– Individually identifiable health information that is
• Transmitted by electronic media
• Maintained in electronic media
• Transmitted or maintained in any other form or medium
8
9. PHI Includes One or More of Identifiers
(§164.514(b)(2)(i))
– Names
– Addresses including Zip
Codes
– All Dates
– Telephone & Fax Numbers
– Email Addresses
– Social Security Numbers
– Medical Record Numbers
– Health Plan Numbers
– License Numbers
– Vehicle Identification
Numbers
– Account Numbers
– Biometric Identifiers
– Full Face Photos
– Any Other Unique
Identifying Number,
Characteristic, or Code
9
10. Use and Disclosure of PHI
• Use of PHI refers to how PHI is internally accessed, shared and
utilized by the covered entity that maintains such information.
• Disclosure of PHI refers to how PHI is shared with individuals
or entities externally.
10
11. Notice of Privacy Practices (NPP)
• Notice of Privacy Practices means:
– Providers and Health Plans must have a Notice of Privacy Practices (NPP)
• It provides a detailed description of the various uses and disclosures of PHI that are
permissible without obtaining a patient’s authorization.
– In general, anytime you release patient information for a reason unrelated to
treatment, payment (e.g., billing) or healthcare operations (TPO), an
authorization is required.
11
12. Treatment, Payment and Operations (TPO)
• Treatment: Various activities related to patient care.
• Payment: Various activities related to paying for or getting
paid for health care services.
• Health Care Operations: Generally refers to day-to-day
activities of a covered entity, such as planning, management,
training, improving quality, providing services, and education.
• NOTE:
– Research is not considered TPO.
– Written patient authorization is required to access PHI for research unless
authorization waiver is approved by the Institutional Review Board (IRB).
12
14. General Rule (§164.306)
• General requirements:
– Ensure the confidentiality, integrity, and availability of all its ePHI.
– Protect against any reasonably anticipated threats or hazards of its ePHI.
– Protect against any reasonably anticipated uses or disclosures of ePHI not
permitted.
• Implementation specifications.
– Required specifications must be implemented.
– Addressable specifications must be assessed and implemented as specified if
reasonable and appropriate to the Covered Entity.
• Maintenance.
14
15. Administrative Safeguards (§164.308(a))
– Security management process
– Assigned security
responsibility
– Workforce security
– Information access
management
– Security awareness and
training
– Security incident procedures
– Contingency plan
– Evaluation
15
16. Physical Safeguards (§164.310)
• Facility access controls.
• Workstation use.
• Workstation security.
• Device and media controls.
16
17. Policies and Procedures and Documentation
Requirements. (§164.316(b)(2))
• Time limit.
– Retain the documentation required for 6 years from the date of its
creation or the date when it last was in effect, whichever is later.
• Availability
• Updates
17
20. Required/Addressable Specifications of
Security Standards
Standards Specifications Sections
Risk Analysis 164.308(a)(1)(ii)(A)
Risk Management 164.308(a)(1)(ii)(B)
Sanction Policy 164.308(a)(1)(ii)(C)
Information System Activity Review 164.308(a)(1)(ii)(D)
Assigned Security
Responsibility
Assigned Security Responsibility 164.308(a)(2)
Authorization and/or Supervision 164.308(a)(3)(ii)(A)
Workforce Clearance Procedure 164.308(a)(3)(ii)(B)
Termination Procedures 164.308(a)(3)(ii)(C)
Isolating Health care Clearinghouse Function 164.308(a)(4)(ii)(A)
Access Authorization 164.308(a)(4)(ii)(B)
Access Establishment and Modification 164.308(a)(4)(ii)(C)
Security Reminders 164.308(a)(5)(ii)(A)
Log-in Monitoring 164.308(a)(5)(ii)(B)
Protection from Malicious Software 164.308(a)(5)(ii)(C)
Password Management 164.308(a)(5)(ii)(D)
Security Incident Procedures Response and Reporting 164.308(a)(6)
Data Backup Plan 164.308(a)(7)(ii)(A)
Disaster Recovery Plan 164.308(a)(7)(ii)(B)
Emergency Mode Operation Plan 164.308(a)(7)(ii)(C)
Testing and Revision Procedure 164.308(a)(7)(ii)(D)
Applications and Data Criticality Analysis 164.308(a)(7)(ii)(E)
Evaluation Evaluation 164.308(a)(8)
Business Associate Contracts
and Other Arrangement
Written Contract or Other Arrangement 164.308(b)(3)
Security Management Process
Workforce Security
Information Access
Mangement
Security Awareness and
Training
Contingency Plan
20
21. Required/Addressable Specifications of
Security Standards
Standards Specifications Sections
Contingency Operations 164.310(a)(2)(i)
Facility Security Plan 164.310(a)(2)(ii)
Access Control and Validation Procedures 164.310(a)(2)(iii)
Maintenance Records 164.310(a)(2)(iv)
Workstation Use Workstation Use 164.310(b)
Workstation Security Workstation Security 164.310(c)
Disposal 164.310(d)(2)(i)
Media Re-use 164.310(d)(1)(2)(ii)
Accountability 164.310(d)(2)(iii)
Data Backup and Storage 164.310(d)(2)(iv)
Unique User Identification 164.312(a)(2)(i)
Emergency Access Procedure 164.312(a)(2)(ii)
Automatic Logoff 164.312(a)(2)(iii)
Encryption and Decryption 164.312(a)(2)(iv)
Audit Controls Audit Controls 164.312(b)
Integrity Mechanism to Authenticate Electronic Protecte164.312(c)(1)
Person or Entity
Authentication
Person or Entity Authentication 164.312(d)
Integrity Controls 164.312(e)(2)(i)
Encryption 164.312(e)(2)(ii)
Time Limit 164.316(b)(2)(i)
Avilability 164.316(b)(2)(ii)
Update 164.316(b)(2)(iii)
Documentation
Device and Media Control
Access Control
Transmission Security
Facility Access Control
21
22. Minimum Necessary Rule (§164.502(b))
• Generally, the amount of PHI used, shared, accessed or
requested must be limited to only what is needed.
• Workers should access or use only the PHI necessary to carry
out their job responsibilities.
22
23. Authorization (§164.508)
• A covered entity may not use or disclose protected health
information for reasons generally not related to treatment,
payment or healthcare operations without an authorization.
• The Authorization must include:
– A detailed description of the PHI to be disclosed, who will make the disclosure,
to whom the disclosure will be made, expiration date, the purpose of the
disclosure, and signature.
– The individual's right to revoke, the ability or inability to condition usage, and
the potential for information disclosed.
23
24. Types of Disclosures
• No Authorization Required (§ 164.512)
• Authorization Required, but Must Give Opportunity to Object
(§ 164.510)
• Authorization Required (§ 164.508)
24
25. Uses and Disclosures for Which An Authorization or
Opportunity to Agree or Object Is Not Required
• To disclose PHI to the patient (§ 164.502)
• To use or disclose PHI for treatment, payment or healthcare
operations. (§ 164.502)
• Certain disclosures required by law (for example, public health
reporting of diseases, child abuse/neglect cases, etc.)
(§ 164.512(a)-(l))
25
26. Uses and Disclosures for Which An Authorization
Is Required
• A covered entity may not use or disclose protected health
information without an authorization. (§ 164.508(a)(1))
• To access, use or disclose PHI for research (§ 164.512(i)(1)(i))
• For marketing activities and sale of PHI (§ 164.508(a)(3))
26
27. Uses and Disclosures Requiring An Opportunity
for The Individual to Agree or to Object
• The Patient must be offered an opportunity to object before
discussing PHI with a patient’s family or friends.
(§ 164.510(b)(1)(i))
• Limited PHI (e.g., patient’s hospital room/location number) is
included in the “Hospital Directory” but patients are offered
an “Opt Out” opportunity and certain disclosures to clergy
members. (§ 164.510(b)(3))
• Exception: Emergency circumstances (§ 164.510(a)(3))
27
28. Breach (§164.402(b))
• Breach means the acquisition, access, use, or disclosure of
protected health information in a manner not permitted
under privacy rules.
• Amount of a civil money penalty.
– In the amount of less than $100 or more than $50,000 for each violation
– In excess of $1,500,000 for identical violations during a calendar year
• Criminal Liability
– Offenses committed with the intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain or
malicious harm permit fines of $250,000 and imprisonment for up to ten
years.
28
29. Companies & Fines
Entity Fined Fine Violation
CIGNET (Feb, 2011) $4,300,000 Online database application error.
Alaska Department of Health
and Human Services (June, 2012)
$1,700,000 Unencrypted USB hard drive stolen, poor policies and
risk analysis.
WellPoint (Sep, 2012) $1,700,000 Did not have technical safeguards in
place to verify the person/entity seeking access to PHI
in the database. Failed to conduct a technical evaluation
in response to software upgrade.
Blue Cross Blue Shield of
Tennessee (Mar, 2012)
$1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear Infirmary and
Massachusetts Eye and Ear Associates
(Sep, 2012)
$1,500,000 Unencrypted laptop stolen, poor risk
analysis, policies.
Affinity Health Plan (Aug, 2013) $1,215,780 Returned photocopiers without erasing the hard drives.
South Shore Hospital (May, 2012) $750,000 Backup tapes went missing on the way to contractor.
Idaho State University (May, 2013) $400,000 Breach of unsecured ePHI.
29