HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification.
2. Need For HIPAA
In 2000, many patients who were newly diagnosed with depression received free
samples of anti-depressant medications in their mail. This left patients wondering
how the pharmaceutical companies were notified of their disease. After a long and
thorough investigation, the Physician, the Pharmaceutical company and a well-
known pharmacy chain were all indicted on breach of confidentiality charges.
This is one of the many reasons the Federal Government needed to step in and
create guidelines to protect patient privacy.
HIPAA is Health Insurance Portability And Accountability Act
2
3. 3
HIPAA
Establishes a Federal floor of safeguards to protect the confidentiality of medical
information.
Allows patients to make informed choices when seeking care and reimbursement
for care based on how personal health information may be used.
Purpose: To protect Protected Health Information [PHI]
Effective from April 14, 2003.
It is the Standard for security of data systems.
It is privacy protection for individual health information.
4. 4
What Is PHI…?
The health information which identifies the individual
Includes information about past, present and future health, mental health of an
individual
Stored, used or disclosed information by covered entities or business associates.
This includes electronic data, paper documents, oral or written conversations,
films and microfiche.
5. 5
Patient Identifier
Names
Address (street, city, county or zip
code)
Telephone numbers
Fax numbers
Social Security numbers
All elements of dates (except for years)
E-mail address
Health plan beneficiary numbers
Medical record numbers
Account numbers
Health plan beneficiary numbers
Medical record numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
URLs
IP address numbers
Biometric Identifiers
Full face photographs
Any other unique identifying number
or characteristic
7. Covered Entities
Defined in the HIPAA rules as (1) health plans (2) Health care clearinghouses
and (3) Health care providers who electronically transmit any health information
in connection with transactions for which HHS has adopted standards.
For example, hospitals, academic medical centers, physicians, and other health care
providers who electronically transmit claims transaction information directly or
through an intermediary to a health plan are covered entities.
Covered entities can be institutions, organizations, or persons
8. 8
a. Notify patients about their privacy rights and how their information can be used.
b. Adopt and implement privacy procedures.
c. Train employees so they understand the privacy procedures.
d. Designate a Privacy Officer.
e. Secure patient records containing Protected Health Information [PHI].
f. Covered entity provide custom made health care notice for individuals privacy
rights and disclosure of protected health information-Notice of Privacy Practice. It
covers the patient’s rights, disclosure rules and regulations.
Entity And Compliance With HIPAA
9. 9
Business Associates
A person or entity that performs a function or activity on behalf of a Covered
Entity [CE] that requires the creation, use or disclosure of Protected Health
Information [PHI] but who is not considered part of the Covered Entities'
workforce. They must have a written contract or agreement that assures they will
appropriately safeguard Protected Health Information [PHI] they create or
receive.
10. 10
Business Associates
Examples of Business Associates
• A third party administrator who assists a health plan with claims processing.
• A CPA firm whose accounting services to a health care provider involve access to
protected health information.
• A health care clearinghouse that translates a claim from a non-standard format into
a standard transaction on behalf of a health care provider and forwards the
processed transaction to a payer.
• An independent medical transcriptionist who provides transcription services to a
physician.
• A pharmacy benefits manager who manages a health plan’s pharmacist network
11. 11
Administrative Safeguards
1. Security Management Process: Conduct risk analysis on periodic basis,
making sure all the policies and procedures are followed, sanction policy is
required, information system activity review is necessary for firewall and
network and for technical infrastructure safeguarding
2. Assigned security responsibilities: Appoint HIPAA security officer.
3. Workforce security: Includes authorization and supervision, workforce
clearance procedures – only required access and termination procedures.
4. Information access management: by monitoring the logins and password
management.
12. 12
Administrative Safeguards
5. Security awareness training: both covered entities and business associates
should train the work forces, security reminders to be sent out.
6. Security Incidence procedures: Have in place security incidence procedures.
7. Contingency plan evaluation: Need data backup, data recovery plan, this
includes man, machine and technology. Also includes emergency mode
plan for business continuity, disaster management, for this check for assets,
facilities and data priority.
8. Business associate contract: It is a contract between covered entity and business
associate based on 45CFR for use and disclosure rules of the protected health
information.
13. 13
Physical Safeguards
1. Facility access controls: Contingency plan, validation procedure, all the doors of
the organization except the front door should be locked, front door should lead
to reception area where every person is scanned.
2. Workstation uses: this safeguards requires policies and procedure to protect
ePHI on workstation level; ensuring that they are use appropriately.
3. Workstation security: Make sure the work station does not walk off, eg use of
laptops
4. Device and Media Control: Any media storing PHI at the end of life should be
disposed off properly using shredding machine, formatting, for reusable media-
formatting, accountability of media and hardware.
14. 14
Technical Safeguards
1. Access and audit control: user should have unique user ID, emergency access,
automatic log off and password protected screensavers, need encryption and
decryption, need to generate audit log, random audits a required for audit log.
2. Transmission security: It prevents users from accessing or changing PHI while in
transit. Use encryption.
3. Integrity: Making sure that the data is correct and accurate.
4. Person or entity authentication: If 3rd party requires to access the systems for
PHI, they should be authenticated first.
15. 15
Thank You
Contact Us:-
ITCube BPO Solution,
Email- info@itcubebpo.com
Phone- +1 (614) 434-2376
10999 Reed Hartman Highway,
Suite # 134, Cincinnati,
Ohio - 45242, USA
www.itcubebpo.com