2. TOPICS
What are privacy and security all about ?
What is confidentiality?
How to protect confidential information?
What is HIPAA?
3. Definitions
Privacy Rule: foundation of federal protection for
personal health information.
Confidentiality: set of rules that limits access or places
restrictions on certain types of information.
Authorization: granting permission .
Breach Confidentiality: to break an agreement
Source:
www.wikipedidia.com
4. Health Insurance Portability
and Accountability Act
The first federal legislation (effective April 14, 2003), that
attempts to protect a patient’s right to privacy, and the
security and access of personal medical information.
HIPAA (Public Law 104-191) was enacted into law by
congress in 1996. Enacted to do the following:
To ensure the the portability of health insurance
To prevent health health care fraud and abuse
Source:
www.hipaa.org
5. Continued:
To enforce health information standards that will improve the
efficiency of health care delivery, simplify the exchange of data
between health care entities, and reduce costs.
To reduce the paperwork associated with processing health
care transactions.
Source:
Hebda, T. & Czar, P.(2009) Handbook of informatics for nurses &
healthcare professionals.
6. HIPAA Privacy Act
Establishes a foundation of Federal protection for personal
health information, carefully balanced to avoid creating
unnecessary barriers to the delivery of quality health care.
The Act allows health care providers to access information
necessary for payment of services with the consent of the
patient. The Act imposes certain restrictions and limitations to
provide further protection to the patient.
Source:
www.hhs.org/hipaa
8. Benefits of the Privacy Rule
Imposes restrictions on the use/disclosure of personal
health information.
Gives patients greater protection of their medical records.
Provides patients with greater peace of mind related to
the security of their health information.
Source:
www.hhs.org/privacy/hipaa
9. PATIENT SECURITY
Patient data can be stripped of identifiers that might otherwise be
used to identify that individual.
Department of Health & Human Services has proposes 19
identifiers for removal such as:
Name
Address
Telephone number
Date of Birth
Source
www.hhs.org/identifiers/hipaa
10. INFORMATION
SECURITY
Information security provides 3 important qualities:
1. Confidentiality – No ones should have access to the
information unless they are authorized and prove a
need for the information.
2. Integrity- The information can be trusted, and it has not
been changes or deleted by accident or through
tampering.
3. Availability- The important information is there when it
is needed.
11. Confidentiality
Deals with communication or information given to you
without fear of disclosure.
Legitimate Need to Know and Informed Consent
It also refers to the duty the health care professional
has to protect the secrecy of information about a
patient’s condition, regardless of the source.
Source:
www.hhs.org/hipaa.
12. Protected Health Information
What is protected health information (PHI)?
When a patient gives personal health information to a
healthcare provider, that becomes
Protected Health Information
PHI
www.hipaasurvivalguide.com/
13. PROTECTED HEALTH
INFORMATION
PHI Includes:
Verbal information
Information on paper
Recorded information
Electronic information (faxes, e-mails, texts)
14. Protected Health Information
Examples of patients information
Patients name or address
Social Security numbers
Tax ID numbers
Health care providers notes
Billing information
16. Protections for Health
Information
Physical Barriers: Computer terminals not in public spaces.
Administrative: Policies and procedures in place for release
of patient information.
Staff: Keeping passwords confidential and not letting anyone
else use your password.
Source:
J. DeMoore, R.N., personal communication, Oct. 23, 2014.
17. Practical Ways to Keep
Information Safe
Never discuss a patient in any public areas.
Always put confidential papers away when leaving a work
station.
Not leaving confidential papers on fax machines or in public
areas.
Dispose of confidential papers in approved shredders.
Never discuss confidential health information with family
members
Source:
J. DeMoore, R.N., personal communication, Oct. 23, 2014.
18. Notice of Privacy Practices
Patients have the right to adequate notice concerning the
use/disclosure of their PHI.
The Notice of Privacy Practices must contain the patient’s
rights and the covered entities’ legal duties.
Patients are required to sign a statement that they were
informed and understand the privacy practices.
Source:
www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities.
19. ACCOUNTABILITY
Accountability Principle: The Principles in the Privacy and
Security Framework emphasizes that compliance with, and
appropriate mechanisms to report and mitigate non-compliance
with, the Principles are important to building trust in the
electronic exchange of individually identifiable heath
information.
Source:
The HIPAA Privacy Rule and Electronic Health Information
Exchange in a Networked Environment.
20. When Can Disclosure be
made of PHI
The personal health information can be disclosed for
several reasons:
1) For treatment, billing and payment, health care
management.
2) With an informed authorization from the patient.
3) When giving patient access to their own PHI.
Source:
www.hhs.org/hipaa.
21. Minimum Necessary
According to the HIPAA guidelines a covered entity must
develop policies and procedures that reasonably limit
disclosures of and requests for protected health
information.
The entity is also required to develop access policies that
limit who may access the PHI. Use of the PHI is limited to
the minimum amount of health information required to do
a specific job.
Source:
www.hhs.org/hipaa.
22. Practical Minimum Necessary
Know who needs to access the PHI.
Know what portion of the PHI is needed for patient
care.
Provide access only to those who need to access the
information to care for the patient.
Source:
J. DeMoore, R.N., Personal Interview. Oct 23, 2014.
24. Unauthorized PHI Disclosures
PHI can be disclosed without the consent of the patient when:
1) There is a need to report abuse, or neglect.
2) To organ donation organizations.
3) For public health safety concerns related to disease
prevention or control.
Patients though can request a list of who has viewed their PHI
but they must sign a consent for it.
Source:
www.hhs.gov/ocr/privacy/hipaa
25. SECURITY DANGERS
Fires, earthquakes, power outages even burst water pipes can
damage confidential paper records and computer systems. Technical
systems may crash, or they can catch a computer “virus”, also
potentially damaging information.
However the biggest threats come from people, both insiders and
outsiders. Careless conversations or curiosity can lead to
inappropriate disclosure of PHI.
Deliberate actions such as using someone else’s password without
their knowing to obtain someone else’s PHI or alter data or even
copying data for identity theft.
Source:
www.foxgrp.com/blog/hipaa-breach.
27. Health Information Technology for
Economic and Clinical Health Act
HITECH
HIPPA needed to be updated to
reflect the increase in identity theft
so rules were added to include
protections against it.
28. HITECH
Federal Law, part of the Reinvestment and recovery Act (ARRA)
enacted Sept. 2009.
Applies to covered health care entities. Many changes to privacy
and security laws were added.
Increases penalties for privacy and security breaches.
Requires notifications to the patient and the Department of Health
and Human Services of information breaches.
Provides for increased penalties and prosecution of breaches in
privacy or security.
Source:
www.hipaasurvivalguide.com/hitech-act-13400.php
29. Mitigation
Improper use or disclosure of a PHI requires penalties or mitigation of
harm that it caused.
1) Covered entities need to identify the cause of the violation and
amend privacy policies and technical procedures to assure the
breach does not reoccur.
2) They must notigy the individual of the violation if the individual
needs to take steps to avoid the harm, as in the case of identity
theft.
3) The network must be investigated to prevent further leakage of
information.
Source:
www.hipaasurvivalguide.com
30. Patients Rights
Patients have a right to confidentiality of all information that
is provided to the healthcare professional and institution
caring for them.
Healthcare professionals have a duty to the patient to
secure all information at all times and to resolve any
breaches promptly.
The Hospital has a duty to provide the patient with
confidentiality, privacy and security. They must ensure that
records are protected against loss, tampering, destruction or
unauthorized use.
Source:
www.jointcommission.org
A basic primer on Hipaa and the three of the most important components of the law.
Standardized definitions allow for easier understanding of terms used in the HIPAA laws.
Much of the patient’s health information is documented in a computerized format. Protecting this information has become vitally important.
Reasons for the implementation of a privacy and security were vital in the age of computerized health care records. Safeguarding a patients
records became an integral part of any electronic health information system.
Privacy is also about a persons control over their personal information and the responsibilities of electronic health care users that have access to the pPatients personal information. HIPAA gives patients and their representatives guarantees about their health care privacy. It provides patients with greater
peace of mind related to the security of their information.
HIPAA is our friend not an enemy
The Privacy Act is an important part of the HIPAA laws, because it provides patients with a say in who can access their health care information.
In implementing reasonable safeguards, organizations need to analyze their own needs and circumstances such as the nature of the
Information it holds and assess the potential risks to patient’s privacy.
Examples can be that a nurse in the er does not have the need to access information about a patient they are not caring for.
Patient care decisions based on tests results need to be accurate, usually computer screens that show results do not allow you to change
the values of this reason. When taking care of a patient the nurse needs to have the latest information in the electronic records.
We need to ensure the computer system and network are up and running.
Requires a situation in which a relationship has been established and private information is shared.
A clearly defined term enables all to know what PHI is.
Throughout the course of the life of a patient’s health care record many different means will occur for their protected health information to be seen.
Any piece of information that could identify a specific patient is confidential, even if the patient’s name is omitted. For example a patient with
A rare condition could be identified simply by that condition or perhaps, even the date of the visit.
There are many steps that can be taken to keep patients privacy and confidentiality intact, these are just a few reminders.
Just because a health care provider has access to confidential records does not mean they are entitled to share with anyone. The
records belong to the person and cannot be shared without explicit consent. Common sense needs to be used when handling confidential
health records.
Protection of patient confidentiality is an important practice for many health care providers; covered entities build upon these requirements to
develop a reasonable safeguard for the medical record
The accountability portion of HIPAA is needed to ensure that covered entities will abide by the principles of HIPAA and to clearly define the
onsequences of breaches of security, privacy or confidentiality.
Any disclosure of personal health care information must always be done with strict adherence to the rules set forth by HIPAA to protect the patients privacy and rights.
Stated simply any health care provider needs to have guidelines in place that protect the health information of those they care for.
They must limit the amount of information that can be accessed by those that do not need the information to do their job.
Ms. DeMoore, head informatics nurse at Mather Memorial Hospital provided these key elements she uses when providing nurses with
HIPAA training.
4JUst a funny but truthful picture.
It may seem strange that there are exceptions to HIPAA, but when the health of a community due to a contagious disease occurs
the PHI becomes the local department of health’s concern.
These are all very real threats to anyone’s PHI. Identity theft is becoming a major security threat.
Everyone who handles a patients health care information is responsible for keeping the information safe. Its our duty to our
patients.
With the ever increasing dangers of computer hackers breaching private data and the marked increase in identity theft
HIPAA added extra rules that would assist in dealing with these concerns.
ARRA is an economic stimulus package which includes extensive funding for science, research and health infrastructure.
The network that allowed the “leak” is liable and must immediately notify those harmed and investigate and correct the source of the breach.
In conclusion, as healthcare providers we are duty and legally bound to protect our patients health information at all times.
Many laws are in place but in the end our nursing ethics dictate our duties, and always provide guidance in our practice of
safeguarding our patients.