hipaa & you inservice notes

8/12/2019 HIPAA & YOU Inservice Notes

1/18


2/18

The Health Insurance Portability and Accountability Act (HIPAA) is comprised of two

overarching parts--the Privacy Rule and Security Rule.

The HIPAA Privacy Rule provides federal protections for personal health informationand provides patients an array of rights with respect to that information. At the same

time, the Privacy Rule is balanced so that it permits the disclosure of personal health

information needed for patient care and other important purposes.

The Security Rule specifies a series of administrative, physical, and technical

safeguards for covered entities to use to assure the confidentiality, integrity, and

availability of electronic protected health information.

This presentation will focus on ePHI (Electronic Protected Health Information) which

is patient health information which is computer based, e.g., created, received, stored

or maintained, processed and/or transmitted in electronic media.

Electronic media includes computers, laptops, CDs/DVDs/disks, memory sticks,

smart phones, PDAs, servers, networks, dial-modems, email, web-sites, etc.


3/18

HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and

disclosure of PHI and/or ePHI with sanctions for violations.


4/18

A major goal of the Privacy Rule is to assure that individuals health information is

properly protected while allowing the flow of health information needed to provide

and promote high quality health care and to protect the public's health and well

being. The Rule strikes a balance that permits important uses of information, whileprotecting the privacy of people who seek care and healing.

Because HIPAA targets how healthcare professionals use and or disclose the patients

personal health information, this hopefully can enable the patient feel more at ease in

regards to maintaining privacy of their records.

The Privacy Rule permits uses anddisclosures incidental to an

otherwise permitted use or


5/18


6/18

The following are computerized and security means of limiting access to portions of

patient's records.

1. Unique User ID or Log-In Name i.e. User Access Controls

2. Password Protection (e.g. Jerusalem = Jeru$@!em)3. Security for Workstations, Portable Devices & Laptops with ePHI

4. Data Management, e.g., back-up, archive, restore, disposal.

5. Secure Remote Access

6. E-Mail Security

7. Safe Internet Use and social media policies


7/18

HIPAA requires that Grace Hospital train its workforce members

about the Universitys HIPAA policies and specific procedures which may affect the w

ork you do. These rules apply to

you when you look at, use, or share Protected Health Information (PHI).

Examples of patients information:

Patients name or address

Social Security or other ID numbers

Doctors/ Nurses personal notes

Billing information

Covered entities such as us, may use

or disclose PHI under theseprovisions if required conditions are


8/18

met: As required by law

For public health activities

About victims of abuse, neglect or domestic violence

For health oversight activities

For judicial and administrative proceedings

Not all healthcare professionals need to have access to all components of the patients

health information. For example, the hospital engineer entering a patients room to fix

the television does not need to know the patients diagnosis. But you as a ancillary

staff, do need to know the patients diagnosis to provide adequate care. Now, if the

patient was infectious the only information that would be required is what protective

equipment should the engineer wear.

Again, the administrative safeguards play a vital role into the daily practices of

Associates. Policies and procedures govern the practice and uphold the high standards

of practice required when caring for people.


9/18

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that

compromises the security or privacy of the protected health information. An

impermissible use or disclosure of protected health information is presumed to be a

breach unless the covered entity or business associate, as applicable, demonstratesthat there is a low probability that the protected health information has been

compromised based on a risk assessment.


10/18

A business associate is a person who, on behalf of a covered entity or of an organized

health care arrangement in which the covered entity participates, but other than in

the capacity of a member of the workforce of such covered entity or arrangement,creates, receives, maintains, or transmits protected health information for a function

or activity.

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care

clearinghouses, and (3) health care providers who electronically transmit any health

information in connection with transactions for which HHS has adopted standards.

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held

criminally liable under HIPAA. Covered entities and specified individuals, as explained

below, whom "knowingly" obtain or disclose individually identifiable health

information in violation of the Administrative Simplification Regulations face a fine of

up to $50,000, as well as imprisonment up to one year. Offenses committed under

false pretenses allow penalties to be increased to a $100,000 fine, with up to five

years in prison. Finally, offenses committed with the intent to sell, transfer, or use

individually identifiable health information for commercial advantage, personal


11/18

gain or malicious harm permit fines of $250,000, and imprisonment for up to ten

years.


12/18

The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of

the privacy practices of their health plans and of most of their health care providers,

as well as to be informed of their privacy rights with respect to their personal health

information.

Health plans and covered health care providers are required to develop and distribute

a notice that provides a clear explanation of these rights and practices. The notice is

intended to focus individuals on privacy issues and concerns, and to prompt them to

have discussions with their health plans and health care providers and exercise their

rights.


13/18

On January 25, 2013, The U.S. Department of Health and Human Services (HHS)

published a long awaited Final Rule called Modifications to the HIPAA Privacy,

Security, Enforcement, and Breach Notification Rules under the Health Information

Technology for Economic and Clinical Health Act and the Genetic InformationNondiscrimination Act; Other Modifications to the HIPAA Rules (Omnibus Rule).

There are three (3) specific areas that healthcare providers will need to focus on to

comply with the new Omnibus Rule:

Privacy, Security, and Breach Notification policies and procedures;

Notice of Privacy Practices (NPP); and

Business Associate (BA) Agreements.

The Omnibus Rule became effective on March 26, 2013, with a compliance period of

180 days, requiring all providers to be compliant with the new regulations

by September 23, 2013.

Business Associate Agreements provides that a business associate may use or

disclose PHI only if such use or disclosure is in accordance with the HIPAA Privacy

Rules required terms for business associate contracts.


14/18

The above-mentioned bill updates provisions establishing the duties of the executive

commissioner of the Health and Human Services Commission (HHSC) with regard to

protected health information. The bill includes provisions relating to training

required for employees of covered entities, consumer access to and use ofprotected health information, and a report by the attorney general regarding

consumer complaints

This bill raises and sets caps on the civil penalty that may be assessed against a

covered entity for a violation of state medical records privacy laws based on certain

standards of culpability and includes provisions relating to an action by the attorney

general and the disciplinary powers of a licensing agency with regard to a violation of

state medical records privacy laws.

House Bill 300 requires HHSC, in consultation with TSHA and the Texas Medical Board,

to review issues regarding the security and accessibility of protected health

information maintained by an unsustainable covered entity and to submit a legislative

report including certain recommendations regarding those issues not later than

December 1, 2012. The bill creates a task force on health information technology and


15/18

requires the attorney general, not later than December 1, 2012, to appoint the task

force members and chair.


16/18


17/18


18/18

hipaa & you inservice notes

Documents