Confidentiality, security, and integrity of information
Confidentiality, Security, andIntegrity of Information
Confidentiality, Security, andIntegrity of Information Introduction This purpose of this training program is to educate and inform all users of Protected Health Information (PHI), of the requirements set forth by the Health Insurance Portability and Accountability Act of 1996 (HIPPA). The U.S. Department of Health and Human Services issued a “Privacy Rule” to implement the requirements set forth by HIPPA. The Privacy Rule standards address the use and disclosure of individuals’ health information by organizations (covered entities) who are subject to the Privacy Rule.
Confidentiality, Security, andIntegrity of Information Who Is Covered by the Privacy Rule? Health plans: Individual and group plans that provide or pay the cost of medical care. Health Care Providers: Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. Health care providers include all: “providers of services” (e.g., institutional providers such as hospitals) and; “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists, and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
Confidentiality, Security, andIntegrity of Information Health Care Clearinghouses: Entities that process nonstandard information they receive from another entity into a standard format or data content. These include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
Confidentiality, Security, andIntegrity of Information What Information is Protected? Protected Health Information: All “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral, including demographic data that relates to: The individual’s past, present or future physical or mental health condition, The provision of health care to the individual, or The past, present, or future payment for the provision of health care to the individual, Individually identifiable health information such as: Name Address Birth date and, Social Security Number
Confidentiality, Security, andIntegrity of Information General Principals for Uses and Disclosures: A covered entity may not use or disclose protected health information, except to: Those entities that have a “need to know” such as billing agencies or regulatory bodies and as outlined in the Privacy Rule The individual who is the subject of the information (or the individual’s personal representative) as authorized in writing. Required Disclosures which include: To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and To HHS when it is undertaking a compliance investigation or review or enforcement action.
Confidentiality, Security, andIntegrity of Information Notice and Other Individual Rights Each covered entity, with certain exceptions, must provide a notice of its privacy practices and must contain certain elements: Ways in which the entity may use and disclose PHI The entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. Describes the individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. Must include a point of contact for further information and for making complaints to the covered entity.
Confidentiality, Security, andIntegrity of Information Enforcement and Penalties for Noncompliance: Termination of employment for violation of HIPPA policy. Civil penalties to entity of $100 per failure to comply with a Privacy Rule requirement. Individual fine of $50,000 and up to one year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.
Confidentiality, Security, andIntegrity of Information What is Your Role? Ensure that patient information is not disclosed improperly but logging off computer terminals and keeping records within the appropriate setting. Do not discuss through social media or in areas outside of the clinical area patient information. Do not share information about patients with friends or family. Discuss patient information only with those “covered entities” as outlined by the Privacy Rule. Do not give your computer password to anyone.
Confidentiality, Security, andIntegrity of Information References: Summary of the HIPPA Privacy Rule, Office For Civil Rights; United States Department of Health and Human Resources 05/03, www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ind; retrieved November 13, 2012.