This document discusses patient privacy laws and regulations. It defines HIPAA and HITECH as laws governing the privacy and security of patient health information. It notes that HIPAA includes the Privacy Rule and Security Rule. The Omnibus Rule modified HIPAA to implement HITECH provisions. Organizations must implement policies to protect privacy and security, provide training, and designate privacy and security officials. The Breach Notification Rule requires reporting unauthorized access to patient information unless the risk is deemed low. The document concludes with a reminder to only access patient records as needed and to secure private health information.

1. Protecting Patient Privacy
Denise Lemin
MHA 690

2. Protecting Patient Privacy
What is HIPPA?
Health Insurance Portability and Accountability Act. (Public Law 104-
191) signed August 21, 1996.
What is HITECH?
Health Information Technology for Economic and Clinical Health.
Signed into law on February 17, 2009.
In this session we will refer to HIPAA generally but will be including the
requirements of HIPAA as amended by HITECH such as things like
the breach notification rules. The important thing to remember is
that HIPPA (and HITECH) have two primary components that impact
what we do daily, the Privacy Rule and the Security Rule are both
incorporated into the organizations policies and procedures.

3. Protecting Patient Privacy
What is Omnibus?
On Jan. 25, 2013, the Department of Health and Human Services
(HHS) published the “HIPAA Omnibus Rule.” a set of final
regulations modifying the Health Insurance Portability and
Accountability Act (HIPAA) Privacy, Security, and Enforcement
Rules to implement various provisions of the Health
Information Technology for Economic and Clinical Health
(HITECH) Act.

4. Protecting Patient Privacy
Organizations must implement policies and procedures to:
• Protect the privacy and security of PHI
• Implement appropriate administrative, physical and
technical safeguards to protect the privacy of PHI
• Mitigate any harmful effects of an inappropriate use of
disclosure of PHI
• Provide regular training to all staff
• Develop a system of sanctions for anyone who violates
policies or requirements of the privacy or security rules
• Designate a privacy official and a security official
• Designate a contact person for complaints

5. Protecting Notification Rule
Breach Notification Rule
The “significant risk of harm” standard in the interim final rule is
eliminated acquisition, access, use, or disclosure of unsecured PHI
not permitted under HIPPA is presumed to be a breach unless the
covered entity or business associate can demonstrate a low
probability that the PHI has been compromised based on an
assessment of at least the follow four-factors:
• The nature and extent of PHI involved;
• The unauthorized person who used the PHI or to whom the
disclosure was for
• Whether PHI was actually acquired or viewed; or only an
opportunity to view
• The extent to which the risk to PHI has been mitigated

6. Protecting Patient Privacy
Review:
• Only use and disclose PHI as needed an only disclose the
minimum necessary
• Secure PHI when finished with it
• Never look into anyone’s record, including your own, without
a clear business purpose
Remember, there are required consequences for breaching
HIPPA laws and regulations including corrective action up to
and including discharge, and potential civil monetary
penalties imposed by the government