presentation hippa
TRANSCRIPT
TOPICS
What are privacy and security all about ?
What is confidentiality?
How to protect confidential information?
What is HIPAA?
Definitions Privacy Rule: foundation of federal protection for
personal health information.
Confidentiality: set of rules that limits access or places
restrictions on certain types of information.
Authorization: granting permission .
Breach Confidentiality: to break an agreement
Source:
www.wikipedidia.com
HIPAA
Health Insurance Portability
and Accountability Act The first federal legislation (effective April 14, 2003), that
attempts to protect a patient’s right to privacy, and the security and access of personal medical information.
HIPAA (Public Law 104-191) was enacted into law by congress in 1996. Enacted to do the following:
To ensure the the portability of health insurance
To prevent health health care fraud and abuse
Source:
www.hipaa.org
Continued:
To enforce health information standards that will improve the efficiency of health care delivery, simplify the exchange of data between health care entities, and reduce costs.
To reduce the paperwork associated with processing health care transactions.
Source:
Hebda, T. & Czar, P.(2009) Handbook of informatics for nurses & healthcare professionals.
HIPAA Privacy ActEstablishes a foundation of Federal protection for personal
health information, carefully balanced to avoid creating
unnecessary barriers to the delivery of quality health care.
The Act allows health care providers to access information
necessary for payment of services with the consent of the
patient. The Act imposes certain restrictions and limitations to
provide further protection to the patient.
Source:
www.hhs.org/hipaa
Benefits of the Privacy RuleImposes restrictions on the use/disclosure of personal health information.
Gives patients greater protection of their medical records.
Provides patients with greater peace of mind related to the security of their health information.
Source:
www.hhs.org/privacy/hipaa
PATIENT SECURITY Patient data can be stripped of identifiers that might otherwise be
used to identify that individual.
Department of Health & Human Services has proposes 19 identifiers for removal such as:
Name
Address
Telephone number
Date of Birth
Source
www.hhs.org/identifiers/hipaa
INFORMATION
SECURITYInformation security provides 3 important qualities:
1. Confidentiality – No ones should have access to the
information unless they are authorized and prove a
need for the information.
2. Integrity- The information can be trusted, and it has not
been changes or deleted by accident or through
tampering.
3. Availability- The important information is there when it
is needed.
Confidentiality Deals with communication or information given to you
without fear of disclosure.
Legitimate Need to Know and Informed Consent
It also refers to the duty the health care professional has to protect the secrecy of information about a patient’s condition, regardless of the source.
Source:
www.hhs.org/hipaa.
Protected Health Information What is protected health information (PHI)?
When a patient gives personal health information to a healthcare provider, that becomes
Protected Health Information
PHI
www.hipaasurvivalguide.com/
PROTECTED HEALTH
INFORMATION PHI Includes:
Verbal information
Information on paper
Recorded information
Electronic information (faxes, e-mails, texts)
Protected Health Information Examples of patients information
Patients name or address
Social Security numbers
Tax ID numbers
Health care providers notes
Billing information
Protections for Health
Information Physical Barriers: Computer terminals not in public spaces.
Administrative: Policies and procedures in place for release of patient information.
Staff: Keeping passwords confidential and not letting anyone else use your password.
Source:
J. DeMoore, R.N., personal communication, Oct. 23, 2014.
Practical Ways to Keep
Information Safe Never discuss a patient in any public areas.
Always put confidential papers away when leaving a work station.
Not leaving confidential papers on fax machines or in public areas.
Dispose of confidential papers in approved shredders.
Never discuss confidential health information with family members
Source:
J. DeMoore, R.N., personal communication, Oct. 23, 2014.
Notice of Privacy Practices Patients have the right to adequate notice concerning the
use/disclosure of their PHI.
The Notice of Privacy Practices must contain the patient’s
rights and the covered entities’ legal duties.
Patients are required to sign a statement that they were
informed and understand the privacy practices.
Source:
www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities.
ACCOUNTABILITY
Accountability Principle: The Principles in the Privacy and Security Framework emphasizes that compliance with, and appropriate mechanisms to report and mitigate non-compliance with, the Principles are important to building trust in the electronic exchange of individually identifiable heath information.
Source:
The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment.
When Can Disclosure be
made of PHIThe personal health information can be disclosed for
several reasons:
1) For treatment, billing and payment, health care
management.
2) With an informed authorization from the patient.
3) When giving patient access to their own PHI.
Source:
www.hhs.org/hipaa.
Minimum NecessaryAccording to the HIPAA guidelines a covered entity must develop policies and procedures that reasonably limit disclosures of and requests for protected health information.
The entity is also required to develop access policies that limit who may access the PHI. Use of the PHI is limited to the minimum amount of health information required to do a specific job.
Source:
www.hhs.org/hipaa.
Practical Minimum Necessary
Know who needs to access the PHI.
Know what portion of the PHI is needed for patient care.
Provide access only to those who need to access the information to care for the patient.
Source:
J. DeMoore, R.N., Personal Interview. Oct 23, 2014.
Unauthorized PHI DisclosuresPHI can be disclosed without the consent of the patient when:
1) There is a need to report abuse, or neglect.
2) To organ donation organizations.
3) For public health safety concerns related to disease prevention or control.
Patients though can request a list of who has viewed their PHI but they must sign a consent for it.
Source:
www.hhs.gov/ocr/privacy/hipaa
SECURITY DANGERSFires, earthquakes, power outages even burst water pipes can damage confidential paper records and computer systems. Technical systems may crash, or they can catch a computer “virus”, also potentially damaging information.
However the biggest threats come from people, both insiders and outsiders. Careless conversations or curiosity can lead to inappropriate disclosure of PHI.
Deliberate actions such as using someone else’s password without their knowing to obtain someone else’s PHI or alter data or even copying data for identity theft.
Source:
www.foxgrp.com/blog/hipaa-breach.
Health Information Technology for
Economic and Clinical Health Act
HITECH
HIPPA needed to be updated to
reflect the increase in identity theft
so rules were added to include
protections against it.
HITECH Federal Law, part of the Reinvestment and recovery Act (ARRA)
enacted Sept. 2009.
Applies to covered health care entities. Many changes to privacy and security laws were added.
Increases penalties for privacy and security breaches.
Requires notifications to the patient and the Department of Health and Human Services of information breaches.
Provides for increased penalties and prosecution of breaches in privacy or security.
Source:
www.hipaasurvivalguide.com/hitech-act-13400.php
MitigationImproper use or disclosure of a PHI requires penalties or mitigation of harm that it caused.
1) Covered entities need to identify the cause of the violation and amend privacy policies and technical procedures to assure the breach does not reoccur.
2) They must notigy the individual of the violation if the individual needs to take steps to avoid the harm, as in the case of identity theft.
3) The network must be investigated to prevent further leakage of information.
Source:
www.hipaasurvivalguide.com
Patients Rights Patients have a right to confidentiality of all information that
is provided to the healthcare professional and institution caring for them.
Healthcare professionals have a duty to the patient to secure all information at all times and to resolve any breaches promptly.
The Hospital has a duty to provide the patient with confidentiality, privacy and security. They must ensure that records are protected against loss, tampering, destruction or unauthorized use.
Source:
www.jointcommission.org