HIPAA establishes rules for protecting patient privacy and health information. It applies to covered entities like health plans, providers, and clearinghouses. Business associates of these entities must also comply. Protected health information includes identifiable patient information. Patients have rights to access and restrict use of their information. Covered entities must notify patients of these privacy practices and face penalties for violations like impermissible disclosures or breaches of private health information. Maintaining privacy and security of patient data is important to avoid penalties or consequences.
2. What is HIPAA?
⢠A federal law
⢠Established uniform rule for protecting health information
and privacy
⢠Established civil and criminal penalties for violations of
patient privacy
3. The Privacy Rule was founded on two
very basic principles:
⢠Health information belongs to the patient
⢠Patients have a right to know how their information is being used
4. HIPAA Basics
⢠Covered Entities
⢠Business Associates
⢠Protected Health Information
⢠Use and Disclosure
⢠Role-based Access
⢠Minimum Necessary
⢠Patient Rights
5. Covered Entities
Groups or individuals who comply with the law:
⢠Health plans
⢠Health Care Clearinghouses
⢠Health Care providers who conduct electronic transactions related to third-party billing
6. Business Associates (BA)
⢠Specific organizations that organizations have a contract or special agreement in place in
order to exchange information.
⢠Definition expanded to include all entities that create, receive, maintain or transmit PHI
on behalf of a covered entity, such as a BA subcontractor.
⢠BA may have vicarious liability for subcontractorâs noncompliance.
7. What is PHI?
⢠Information transmitted or maintained in any form or medium by a Covered Entity or its
Business Associate.
⢠Information that individually identifies a patient;
⢠Describes the past, present, or future physical or mental health or condition or payments
of an individual;
⢠Includes the demographics of an individual.
8. Examples of Demographics
⢠Name
⢠Address
⢠Date of Birth
⢠Telephone Number
⢠Social Security Number
⢠Medical Record Number
⢠Health Plan Number
⢠Account Number
⢠Driver License Number
⢠Fax Number
⢠Any other unique identifying characteristic
9. Where is PHI found?
⢠Patient Medical Records
⢠Patient Financial Records
⢠Other items that may contain PHI
-Daily Census
-Patient Lists
- Any Documents/Reports with Patient information or demographics included.
10. HIPAA Privacy versus Security
⢠Privacy- Grants patientâs rights to control access and disclosures of their PHI
⢠Security- An organizationâs responsibility to control the means by which such information
remains confidential
11. Notice of Privacy Practices
⢠Informs the patient regarding:
⢠Release of Information
⢠Access to Information
⢠Restrictions to Information
⢠Amendments to Information
⢠Accounting Disclosures
⢠Healthcare Organizations must educate patients and families on the rights and
protections contained within Notice of Privacy Practices.
12. What HIPAA means for patients:
⢠Increased Control
-Use of Information
-Disclosure of Information
⢠Increased Understanding
⢠Use of Information
⢠Who has Access
⢠Increased Protection of Their Rights
13. Breach
⢠Impermissible use or disclosure under Privacy Rule that compromises the security or
privacy of the protected health information such that the use or disclosure poses a
significant risk of financial, reputational or other harm to the affected individual.
⢠Simple term protected Health Information available to those who have no authority to
view it, and who may use that information inappropriately.
14. Consequences of violations...
⢠Penalties at work
-Warnings, suspension, termination
⢠Civil Penalties
⢠4 Tiers based on culpability;
$100- 50,000 (Identical violations in calendar year, 1,500,000)
⢠Criminal Penalties
-Up to 10 years in prison
-Fines as high as 250,000.00
15. Avoiding Breach Notification
⢠Never write down your username and passwords and especially do not attach them to
your laptops.
⢠Always lock down or shut down your computer when it is unattended
⢠Do not give your passwords out to anyone
⢠Be sure your printouts with PHI are secured
⢠Never text PHI using cell phones or smartphones
⢠Never access a patient record that you are not authorized to provided treatment for