hipaa & you inservice notes
TRANSCRIPT
-
8/12/2019 HIPAA & YOU Inservice Notes
1/18
-
8/12/2019 HIPAA & YOU Inservice Notes
2/18
The Health Insurance Portability and Accountability Act (HIPAA) is comprised of two
overarching parts--the Privacy Rule and Security Rule.
The HIPAA Privacy Rule provides federal protections for personal health informationand provides patients an array of rights with respect to that information. At the same
time, the Privacy Rule is balanced so that it permits the disclosure of personal health
information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical
safeguards for covered entities to use to assure the confidentiality, integrity, and
availability of electronic protected health information.
This presentation will focus on ePHI (Electronic Protected Health Information) which
is patient health information which is computer based, e.g., created, received, stored
or maintained, processed and/or transmitted in electronic media.
Electronic media includes computers, laptops, CDs/DVDs/disks, memory sticks,
smart phones, PDAs, servers, networks, dial-modems, email, web-sites, etc.
-
8/12/2019 HIPAA & YOU Inservice Notes
3/18
HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and
disclosure of PHI and/or ePHI with sanctions for violations.
-
8/12/2019 HIPAA & YOU Inservice Notes
4/18
A major goal of the Privacy Rule is to assure that individuals health information is
properly protected while allowing the flow of health information needed to provide
and promote high quality health care and to protect the public's health and well
being. The Rule strikes a balance that permits important uses of information, whileprotecting the privacy of people who seek care and healing.
Because HIPAA targets how healthcare professionals use and or disclose the patients
personal health information, this hopefully can enable the patient feel more at ease in
regards to maintaining privacy of their records.
The Privacy Rule permits uses anddisclosures incidental to an
otherwise permitted use or
-
8/12/2019 HIPAA & YOU Inservice Notes
5/18
-
8/12/2019 HIPAA & YOU Inservice Notes
6/18
The following are computerized and security means of limiting access to portions of
patient's records.
1. Unique User ID or Log-In Name i.e. User Access Controls
2. Password Protection (e.g. Jerusalem = Jeru$@!em)3. Security for Workstations, Portable Devices & Laptops with ePHI
4. Data Management, e.g., back-up, archive, restore, disposal.
5. Secure Remote Access
6. E-Mail Security
7. Safe Internet Use and social media policies
-
8/12/2019 HIPAA & YOU Inservice Notes
7/18
HIPAA requires that Grace Hospital train its workforce members
about the Universitys HIPAA policies and specific procedures which may affect the w
ork you do. These rules apply to
you when you look at, use, or share Protected Health Information (PHI).
Examples of patients information:
Patients name or address
Social Security or other ID numbers
Doctors/ Nurses personal notes
Billing information
Covered entities such as us, may use
or disclose PHI under theseprovisions if required conditions are
-
8/12/2019 HIPAA & YOU Inservice Notes
8/18
met: As required by law
For public health activities
About victims of abuse, neglect or domestic violence
For health oversight activities
For judicial and administrative proceedings
Not all healthcare professionals need to have access to all components of the patients
health information. For example, the hospital engineer entering a patients room to fix
the television does not need to know the patients diagnosis. But you as a ancillary
staff, do need to know the patients diagnosis to provide adequate care. Now, if the
patient was infectious the only information that would be required is what protective
equipment should the engineer wear.
Again, the administrative safeguards play a vital role into the daily practices of
Associates. Policies and procedures govern the practice and uphold the high standards
of practice required when caring for people.
-
8/12/2019 HIPAA & YOU Inservice Notes
9/18
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that
compromises the security or privacy of the protected health information. An
impermissible use or disclosure of protected health information is presumed to be a
breach unless the covered entity or business associate, as applicable, demonstratesthat there is a low probability that the protected health information has been
compromised based on a risk assessment.
-
8/12/2019 HIPAA & YOU Inservice Notes
10/18
A business associate is a person who, on behalf of a covered entity or of an organized
health care arrangement in which the covered entity participates, but other than in
the capacity of a member of the workforce of such covered entity or arrangement,creates, receives, maintains, or transmits protected health information for a function
or activity.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care
clearinghouses, and (3) health care providers who electronically transmit any health
information in connection with transactions for which HHS has adopted standards.
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held
criminally liable under HIPAA. Covered entities and specified individuals, as explained
below, whom "knowingly" obtain or disclose individually identifiable health
information in violation of the Administrative Simplification Regulations face a fine of
up to $50,000, as well as imprisonment up to one year. Offenses committed under
false pretenses allow penalties to be increased to a $100,000 fine, with up to five
years in prison. Finally, offenses committed with the intent to sell, transfer, or use
individually identifiable health information for commercial advantage, personal
-
8/12/2019 HIPAA & YOU Inservice Notes
11/18
gain or malicious harm permit fines of $250,000, and imprisonment for up to ten
years.
-
8/12/2019 HIPAA & YOU Inservice Notes
12/18
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of
the privacy practices of their health plans and of most of their health care providers,
as well as to be informed of their privacy rights with respect to their personal health
information.
Health plans and covered health care providers are required to develop and distribute
a notice that provides a clear explanation of these rights and practices. The notice is
intended to focus individuals on privacy issues and concerns, and to prompt them to
have discussions with their health plans and health care providers and exercise their
rights.
-
8/12/2019 HIPAA & YOU Inservice Notes
13/18
On January 25, 2013, The U.S. Department of Health and Human Services (HHS)
published a long awaited Final Rule called Modifications to the HIPAA Privacy,
Security, Enforcement, and Breach Notification Rules under the Health Information
Technology for Economic and Clinical Health Act and the Genetic InformationNondiscrimination Act; Other Modifications to the HIPAA Rules (Omnibus Rule).
There are three (3) specific areas that healthcare providers will need to focus on to
comply with the new Omnibus Rule:
Privacy, Security, and Breach Notification policies and procedures;
Notice of Privacy Practices (NPP); and
Business Associate (BA) Agreements.
The Omnibus Rule became effective on March 26, 2013, with a compliance period of
180 days, requiring all providers to be compliant with the new regulations
by September 23, 2013.
Business Associate Agreements provides that a business associate may use or
disclose PHI only if such use or disclosure is in accordance with the HIPAA Privacy
Rules required terms for business associate contracts.
-
8/12/2019 HIPAA & YOU Inservice Notes
14/18
The above-mentioned bill updates provisions establishing the duties of the executive
commissioner of the Health and Human Services Commission (HHSC) with regard to
protected health information. The bill includes provisions relating to training
required for employees of covered entities, consumer access to and use ofprotected health information, and a report by the attorney general regarding
consumer complaints
This bill raises and sets caps on the civil penalty that may be assessed against a
covered entity for a violation of state medical records privacy laws based on certain
standards of culpability and includes provisions relating to an action by the attorney
general and the disciplinary powers of a licensing agency with regard to a violation of
state medical records privacy laws.
House Bill 300 requires HHSC, in consultation with TSHA and the Texas Medical Board,
to review issues regarding the security and accessibility of protected health
information maintained by an unsustainable covered entity and to submit a legislative
report including certain recommendations regarding those issues not later than
December 1, 2012. The bill creates a task force on health information technology and
-
8/12/2019 HIPAA & YOU Inservice Notes
15/18
requires the attorney general, not later than December 1, 2012, to appoint the task
force members and chair.
-
8/12/2019 HIPAA & YOU Inservice Notes
16/18
-
8/12/2019 HIPAA & YOU Inservice Notes
17/18
-
8/12/2019 HIPAA & YOU Inservice Notes
18/18