The document summarizes the key aspects of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. It defines protected health information (PHI) as any individually identifiable health information and lists the 18 identifiers that must be removed. It outlines how PHI should only be used and accessed when necessary to perform one's job and secured electronically or physically. Examples of privacy breaches are provided as well as an overview of a Notice of Privacy Practices.
1. Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
Privacy and Security Rules
Summary
The Healthcare Team
2. TRAINING &
AWARENESS
1. Introduction to HIPAA
2. PHI Identifiers and Awareness
3. Security Measures
4. Privacy Breaches
5. Policies & Procedures
3. What is HIPAA?
The Health Insurance Portability and
Accountability Act (HIPAA) is a federal law
that specifies administrative simplification
provisions that:
1. Protect the privacy of patient information
2. Provide for electronic and physical security
of patient health information
3. Require “minimum necessary” use and
disclosure
4. Specify patient rights to approve the access
and use of their medical information
4. Protected Health
Information (PHI)
PHI is any information about health
status, provision of health care, or
payment for health care that can be linked
to a specific individual
5. Protected Health Information (PHI)
18 Identifiers
Name Account numbers
Postal address License numbers
All elements of dates except year Health plan beneficiary number
Telephone number Medical record number
Fax number Device identifiers and their serial
numbers
Email address Vehicle identifiers and serial
numbers
URL address Biometric identifiers
IP address Full face photos and other
comparable images
Social security number Any other unique identifying number,
code, or characteristic
6. When should you use PHI?
1. Only when necessary to perform your
job duties
2. Use only the minimum necessary to
perform your job duties
7. How do I secure PHI?
• Use electronic data only in a firewall
environment (cloud)
• Do not download to a non-protected
environment:
• Laptop
• Flashdrive
• Do not verbally release PHI outside the
office
• Do not leave PHI on answering machines
• Ensure all paper, cds, and records are
locked up or destroyed
8. Privacy Breaches
• Talking in public areas too loudly or to the
wrong person
• Lost/stolen or improperly disposed of paper,
mail, films, notebooks
• Lost/stolen laptops, PDAs, cell phones, media
devices (video/audio recordings)
• Lost/stolen zip disks, CDs, flash drives
• Hacking or unprotected computer systems
• Email/faxes sent to the wrong address, wrong
person, or wrong number
• User not logging off of their computer system
allowing others to access
9. Notice of Privacy Practices
(NOPP)
The Notice of Privacy Practices allows PHI to
be used and disclosed for purposes of TPO:
Treatment
Payment
Operations
TPO includes teaching, medical staff/peer
review, legal, auditing, customer service,
business management, and releases mandated
by law
10. Remember
All patient information is private
• Personal information
• Financial information
• Medical information
• Protected Health Information
• Information in any format:
• Spoken
• Written
• Electronic