DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Hipaa
1. Air Force Medical Operations Agency
Excellent Healthcare, Clinical Currency
HIPAA Privacy
and Security
1
2. What HSA Students needs to
know about HIPAA
To provide an introductory overview of HIPAA and how it affects you as
a TOPA or future Systems Flight Commander
INTERNAL - This presentation focuses on how the HIPAA Privacy and
Security Rule impact the Privacy Officer in TOPA, the Security Officer in
Systems Flight, and you as a medical member of the Covered Entity.
EXTERNAL – How HIPAA affects your interaction with Wing ‘Line”
commanders
It is not intended to provide you with a comprehensive understanding of
the entire Privacy and Security Rule, nor is it intended to address all the
various requirements your Medical Group must observe in order to be in
compliance with the rule
Excellent Healthcare, Clinical Currency
3. General Overview of HIPAA
Public Law 104-191
Also known as the Health Insurance Portability and Accountability
Act (HIPAA)
- Primary AF Guidance for HIPAA Privacy includes AFI 41-210 and DoD
6025.18-R
- Primary AF Guidance for HIPAA Security includes AFI 41-217
-
The overarching purposes of HIPAA are to:
Improve the portability and continuity of health insurance coverage
Combat waste, fraud, and abuse in health insurance and health care
delivery
- Simplify the administration of health insurance
- Standardize all electronic transaction code sets (EDI)
-
HIPAA is much more than just privacy and security:
several functions within the healthcare industry needed to be overhauled
or standardized in order to meet the mandates of HIPAA
- Transaction and Code Set Standards – ICD-9, CPT
- National Identifier Standards – National Provider Identifier (NPI)
- Security Standards
Excellent Healthcare, Clinical Currency
4. Medical Group
Improve HIPAA and Sustain Program
• Complete the
MDG medical
mission and
comply with
HIPAA
requirements
• Make HIPAA
IMPROVE the
combat
operations
capability of
AFB ‘Line”
Units
• Secure PHI
• Get needed
Protected
Health
Information
(PHI) to Wing
Excellent Healthcare, Clinical Currency
5. Military Command Authority (MCA)
The
Military Command
Authority (MCA) Exemption
permits disclosure of PHI to a
member’s commander in
order to determine fitness for
duty to conduct the mission.
But, this exemption applies
only to the PHI of Active Duty
ARMED FORCES MEMBERS.
Excellent Healthcare, Clinical Currency
6. A Unit Commander wants to
know their airman’s condition.
The
member’s authorization is NOT
required;
AND
Only
the “Minimum Necessary”
information will be disclosed (Similar to
“OPSEC” rules)
ALL DISCLOSURES MUST BE DOCUMENTED BY THE MTF
Excellent Healthcare, Clinical Currency
7. Military Command Authority (MCA)
to determine the member’s fitness for duty,
to determine the member’s fitness to perform any particular
mission, assignment, order, or duty, including compliance with
any actions required as a precondition to performance of such
mission, assignment, order, or duty.
to carry out activities under the authority of DoD Directive
6490.2, “Joint Medical Surveillance,” August 30, 1997.
to carry out any other activity necessary to the proper
execution of the mission of the Armed Forces.
Appropriate military command authorities are considered all
commanders who exercise authority over an individual who is
a member of the Armed Forces.
The use may be by the Commander or his/her designee.
Excellent Healthcare, Clinical Currency
8. MCA Impact
‘Line’ commander’s perceive HIPAA as a barrier to obtain medical
information on the airmen under their command
The MDG must maintain and update a MCA roster of commanders
and their designees. This roster must include Medical
Commanders and their Designees.
‘Line’ commanders must educate their staff that only the
commander and his/her designee may obtain Protected Health
Information (PHI) from the MDG
Many of the AF Health and Human Services (HHS) complaints have
resulted from the MDG disclosing PHI to a ‘Line’ member who is
not on the MDG MCA list
Excellent Healthcare, Clinical Currency
9. Military Command Authority (MCA)
Common Examples of health information flows from the MDG
- Readiness Reports (PIMR)
- Quarters notices to the Line
- Physical Profiles and Duty Limiting Condition Reports
- Appointment Scheduling and Reminders
- Direct Communications from Healthcare Providers
- Family Advocacy and support programs
- Required communications from Mental Health Provider
- MEB/PEB Processing
- PRP determinations
- CITA reports
- PHAs
- Request to access an individual’s health records for a
specific
purpose
- Request to meet with a provider to receive clarification of
duty limitations, etc
- Commander Directed Mental Health Evaluation
Excellent Healthcare, Clinical Currency
10. Military Command Authority (MCA)
Air Force actions resulting from the Ft Hood incident
Briefing that should be given to all ‘Line’ commanders
Memorandum For ALMAJCOM/CV; from HQ USAF/SG;
Subject: Sharing Protected Health Information with
Appropriate Command Authorities; 14 May 2010
Memorandum For All MTF/CC; from AFMOA/CC; Subject:
Disclosure of Protected Health Information to Appropriate
Command Authorities; 24 May 2010
PowerPoint – Awareness Campaign Presentation
Suggest presentation be viewed in “notes” mode
Excellent Healthcare, Clinical Currency
10
11. The Privacy Rule
–Disclosing Information
What is a Disclosure?
-
The release, transfer, provision of access to, or divulging of information in any manner
outside the covered entity holding the information
Any time the Medical Group provides health information of an individual under your
command, they are making a disclosure and must document it
There are three types of disclosures
-
Patient’s authorization is not required
-
Patient’s authorization is required
-
Patient must be given the opportunity to either agree with, or object to the disclosure;
such notice is provided by the Notice of Privacy Practices
As Required by Law
Judicial and Administrative Proceedings
Medical Facility Patient Directory
Research Involving Minimal Risk
Inmates in Correctional Institutions or in Custody
Law Enforcement Purposes
Cadaveric Organ, Eye or Tissue Donation Purposes
Workers Compensation
Public Health Activities
Specialized Government Functions (MCA)
About Decedents
Avert A Serious Threat to Health or Safety
Health Oversight Activities
About Victims of Abuse, Neglect, or Domestic Violence
Excellent Healthcare, Clinical Currency
12. Six Year Retention Requirement
Documentation associated with HIPAA Privacy/Security Program
must be maintained for six years from date of implementation or
last use
Privacy Implementation Date: 14 Apr 03
Security Implementation Date: 21 Apr 05
Common documents to be retained:
Commander Designee letters
Medical Group Instructions or Operating Instructions
Local training plans/sign in sheets
Security Risk Assessment (OCTAVE)
Privacy Gap Analysis (HIPAA Basics)/MEDFACTS Compliance Assessments
Privacy Officer/Security Officer appointment letters
Disclosure accountings; complaints; requests for restriction, amendments, or
confidential communications
Items should be maintained in file system, not a continuity binder
Excellent Healthcare, Clinical Currency
12
13. The Privacy Rule
- In a Nutshell
What it does…
-
Sets boundaries on the use and release of health records
Establishes safeguards that must be met to protect the privacy of
health information
Holds violators accountable with civil and criminal penalties that can
be imposed if the patient’s privacy rights are violated
What the Medical Group Must Do to Comply…
-
Develop local policies & procedures to ensure compliance with privacy
requirements
Enforce workforce compliance with policies & procedures, to include
sanctions when required
Ensure workforce is trained on HIPAA requirements
Make the MHS Notice of Privacy Practices available to beneficiaries
Excellent Healthcare, Clinical Currency
14. The Privacy Rule
– Key Terms
-
Disclosure: Allowing healthcare information to be accessed, released, or
otherwise conveyed in any manner outside the entity holding the information
-
Protected Health Information (PHI): Individually identifiable health information
in any form
o Is created or received by a health care provider, health plan, public health
authority, employer, life insurer, school or university, or health care
clearinghouse; and
o Relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of health care to an individual
-
Minimum Necessary: The minimum amount of protected health information
necessary to accomplish a permitted use or disclosure
o The HIPAA Privacy Rule requires covered entities to take reasonable steps
to limit the use or disclosure of, and requests for, protected health
information
o Even within the Medical Group, staff members may only share or gain
access to PHI on a “role-based” basis
Excellent Healthcare, Clinical Currency
15. Notice and Authorizations
We are required to give our patients a
Notice Of Privacy Practices when we
make our first contact with them
This notice tells them how we will use or
disclose their health information according to the
HIPAA law
Finally, it tells our patients about their rights to
access their own health information and receive
confidential communications
We ask that our patients sign an acknowledgement
of this Notice Of Privacy Practices to confirm that
they have received it and understand it. This
sticker is placed on the back of medical and dental
records
Excellent Healthcare, Clinical Currency
16. HIPAA Patient Privacy Rights –
NoPP
To Inspect and Copy
To Request Restrictions
To request Confidential
Communications
To Request Amendment
To an Accounting of Disclosures
To Obtain a Copy of this Notice
To File a Complaint
Excellent Healthcare, Clinical Currency
17. HIPAA and How It Affects You
Transmission of PHI from the Medical Group to You
-
The Medical Group must observe Privacy Act and AF Communications Guidelines
to ensure e-mail containing PHI is properly safeguarded during transmission
o Includes use of PKI encryption and Digital Signature as outlined in AFI 33-119
o Must be For Official Use Only (FOUO) as outlined in AFI 33-332
o Information is not transmitted to distribution lists unless each recipient is a
Commander’s Designee and has a need to receive the information being transmitted
The Medical Group will not transmit an e-mail message containing PHI if it cannot
be properly encrypted
Verification of Identity
-
Medical Group personnel must verify the identity of Commander’s and designees
prior to disclosing health information
o
Privacy Officer should have a good process in place for members of the MDG to
know who the Commanders and the Commander designees are in each unit.
Where HIPAA Ends and the Privacy Act Begins
-
PHI is a subset of Personally Identifiable Information (PII) as defined in DoD
5400.11-R
Within the Medical Group, PHI is governed by both the Privacy Act (PA) and HIPAA
Once properly released by the Medical Group, the information ceases to be
protected by HIPAA, but remains subject to the Privacy Act
Excellent Healthcare, Clinical Currency
18. HIPAA and How It Affects You
as a Privacy Officer
HIPAA Privacy Officers’ Roles and Responsibilities
Be the MTF’s initial Point
of Contact for all HIPAA
Privacy issues and concerns
Monitor compliance with
HIPAA training requirements
Ensure adherence to Federal
Law, MHS, and AF SG policies
and procedures at the MTF level
Investigate patient privacy
complaints
Develop MTF specific
polices and procedures
Implement methods to
track disclosures of PHI
Chair HIPAA Compliance
teams
Completes HIPAA Privacy risk
assessment
Excellent Healthcare, Clinical Currency
19. HIPAA and How It Affects You
as a Security Officer
HIPAA Security Officers’ Roles and Responsibilities
Oversee compliance with
HIPAA Security Rule
Establish policies and
procedures to manage
electronic PHI/PII
Monitor compliance with
HIPAA training
requirements
Chairs the Medical
Information Security
Readiness Team (MISRT)
Develop HIPAA Security
MTF specific polices and
procedures
Ensure sanction policies
are consistently applied
for failure to comply
with ePHI security and
breaches
Complete OCTAVE HIPAA
security risk assessment
Excellent Healthcare, Clinical Currency
20. Important Contacts
Effective management requires establishing good working
relationships with:
Wing SJA/Medical Legal Advisor
Regional Medical Legal Consultant
AFMOA Regional Health Information Compliance Rep
Base Comm Sq IT Staff
Local hospital Privacy Officers where frequent admissions
occur
MDG Patient Advocate
Base Privacy Act Officer
Base Freedom of Information Act (FOIA) Officer
Excellent Healthcare, Clinical Currency
20
21. Trends
HITECH Breaches: AFMS has experienced 3 total that affected 500 plus
individuals PHI.
Improper disposal, PHI accidentally recycled or employee removal of medical
forms/PHI
Inappropriate AHLTA and CHCS access- “AHLTA Snooping”
Errant emails containing PHI/PII sent unencrypted, sent to wrong email/
unintended recipients, on mail group to MDG All email groups.
Violation of the “Minimum Necessary” principal when the MDG discloses too
health information
MTF mails wrong medical records to requestor
Lost electronic equipment: Laptop/media storage/CD/thumb drive
US Postal or Fedex: medical records packages open during shipment to other
MTFs or AFPC.
Test results to wrong patients
Pharmacy dispenses to wrong patient
Verbal breaches of PHI to neighbors about neighbors
Excellent Healthcare, Clinical Currency
22. HIPAA and Privacy Act
Incidents
An Incident, defined per HIPAA, is the
KNOWN or PERCEIVED unauthorized
access, use, disclosure, modification, or
destruction of Protected Health Information
(PHI).
An Incident, defined per the Privacy Act, is
the KNOWN or PERCEIVED unauthorized
access, use, disclosure, modification, or
destruction of Personally Identifiable
Information (PII)
Excellent Healthcare, Clinical Currency
23. HIPAA Incidents
AFMS personnel must report potential and actual compromises of
PII to the United States Computer Emergency Readiness Team
(US-CERT) within one hour of the breach occurring or becoming
known.
A Defense Privacy Civil Liberties Office (DPCLO) Breach Report is
then accomplished.
AFMS organizations experiencing a breach of PHI must provide a
copy of the DPCLO Breach Report to AFMOA/SGAT as soon as
possible, but not later than 24 hours after the breach occurred or
became known.
AFMOA/SGAT will forward the report to AFMSA/SG3SA where the
report will be reviewed for content and clarity before forwarding to
the TMA Privacy Office. AFMSA/SG3SA maintains copies of all
correspondence and reports associated with breach reporting for
purposes of tracking and trending incidents within the AFMS, and
for documenting HHS reporting requirements.
Excellent Healthcare, Clinical Currency
23
25. Affected Individual
Notification Procedures
A “risk of harm” assessment will be accomplished after the
incident. If the assessment results in a “high risk of harm” the
affected individuals will be notified as soon as possible, but not
later than 10 working days after the loss, theft, or compromise is
discovered and the identities of the individuals ascertained. The
notification should be in writing and should be concise,
conspicuous, and in plain language.
NOTE: The 10-day period is a line requirement under DoD
5400.11-R, and AFI 33-332 and begins after the Component is able
to determine the identities of the individuals whose records were
lost. If the Component is only able to identify some but not all of the
affected individuals, notification shall be given to those that can be
identified with follow-up notifications made to those subsequently
identified
11/14/13
Excellent Healthcare, Clinical Currency
25
26. Most Common Privacy Issues
Health and Human Services reports the following as the most
common types of issues investigated (in order of frequency):
Impermissible uses and disclosures of PHI
Lack of safeguard of PHI
Lack of patient access to PHI - CLIA
Uses or disclosures of more than “Minimum Necessary” PHI
Lack of or invalid authorizations for uses and disclosures
Excellent Healthcare, Clinical Currency
26
27. HOW TO AVOID BREACHES
Do not leave PII unattended
Lock records in cabinets/offices
Do not remove PII from office workspace
• Limit the extraction of PII from protected information systems (i.e.
export to Microsoft Access, Excel, Printed Format, etc.)
Be deliberate before posting in shared environments ( shared
drives)
Give access only as needed to perform duties
• Limit disclosure/access to absolute minimal needed
• Have checks/balances in place to prevent misuse
Properly destroy records when record retention is met
You can’t lose what you don’t have!
Excellent Healthcare, Clinical Currency
28. HIPAA Compliance
MEDFACTS
We have added HIPAA elements into MEDFACTS.
These are regulatory elements to ensure your program is in
compliance with the HIPAA rule.
If your Privacy and Security officers do not have a MEDFACTS
account, suggest they get with MDG QA folks to obtain one.
Excellent Healthcare, Clinical Currency
28
29. Summary
HIPAA hasn’t changed your ability to access the health information you
need to effectively execute the military mission
The Specialized Government Functions provision allows the Medical
Group to disclose information to appropriate military command
authorities or their designated representative
The Medical Group must observe the “Minimum Necessary” principal
when they disclose health information to you
HIPAA protects health information, but the Privacy Act remains in force
Leadership Role overseeing HIPAA Privacy and Security functions to
keep the MTF compliant.
Always feel free to confer with any case you are dealing with by
consulting with your AFMOA HIPAA Reps.
Excellent Healthcare, Clinical Currency
30. “HIPAA-theticals” for
discussion
While in the Public Health area a MSgt who works in PH says to a friend
who is not a member of the MDG, “I know your girlfriend has an STD.”
The PH officer hears about it and calls you to ask what should be done.
What should you do and how should you follow this potential breach of
PHI? What guidance and direction would you give your HIPAA Privacy
Officer (HPO), who is a lower rank than the MSgt?
The Specialized Government Functions provision in HIPAA rules,
outlined in the DoD 6025.18-R, allows the Medical Group to disclose
information to appropriate military command authorities or their
designated representative(s). Your HPO comes and tells you that an
Army Colonel on the base for an exercise is a Senior Aide for the 4 star
Admiral commander who is running the Joint Exercise. He says he
needs a daily list of the exercise members who come to the MDG so he
can brief the Admiral on the health status of the unit. You do not have
a MCA list from the Admiral. When the HPO first told the Colonel he
could not get the list, the Colonel became visibly angry and demanded
to speak with the CO of the MTF.
What actions would you take to assist the HPO from being intimidated
by the Colonel and how would you provide top cover on this situation?
Excellent Healthcare, Clinical Currency
31. “HIPAA-theticals” for
discussion
A airman in the Patient Administration section reports to you that one
of the other technicians has been accessing AHLTA/CHCS and
reviewing the medical status of other MTF staff.
Do you consider this a privacy breach? Should you involve your HIPAA
Security Officer with your HIPAA Privacy Officer? What rule did this
Airman break if any? What resources do you have available to
investigate this issue?
A member of your MTF contacts an AD Patient’s unit and speaks to the
member’s direct supervisor. The MTF staff member discusses the
patient’s medical condition with the supervisor.
Do you consider this a Privacy Violation? What rule did the MTF staff
member break if any? Who should have the MTF Staff member
contacted, if not the direct supervisor?
Excellent Healthcare, Clinical Currency
32. AFMOA Health Info
Compliance POCs
• Chief, Health Benefits Support Branch: 210-395-9944
• Support Branch: 210-395-9926 (DSN: 969)
• North: 210-395-9953
• South: 210-395-9814
• West: 210-395-9921
• OCONUS: 210-395-9948
• Org email box: afmoahipaatraining@us.af.mil
Excellent Healthcare, Clinical Currency
33. Resources
DoD 6025.18-R
AFI 41-210
AFI 41-217
Military Health System
- http://www.tricare.mil/tmaprivacy/Hipaa.cfm
Department of Health and Human Services
-
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
AF HIPAA Guide
- https://kx.afms.mil/kxweb/dotmil/kj.do?functionalArea=HIPAA
HIPAA Briefing for Commanders
https://kx.afms.mil/kxweb/dotmil/kjFolderList.do?folder=Toolkits&functionalArea=AFMOAHealthBenefits
Excellent Healthcare, Clinical Currency
As a member of the Covered Entity and when acting on behalf of the Covered Entity, your access to PHI is on a “need to know” basis as it is for all MTF Staff.
However, when you are acting as a “Commander”, your access to PHI reverts to the access we provide Line Commanders in that your access is based on your need under
the “Military Command Authority” provision of HIPAA. You may not access PHI simply because you are a member of the MTF.
Always be cognizant of the hat you are wearing when accessing or requesting PHI.
1) The Public Law was passed in 1996
2) The Department of Health and Human Services subsequently published the “rules” for HIPAA in the Federal Register under 45 CFR parts 160, 162, and 164
3) It soon became apparent that many business practices within the healthcare industry would need to be created and/or modified in order to achieve the goals of HIPAA. Transactions and code sets are how the medical information written into a patient’s chart is converted into a standardized language (i.e. codes) for billing and other transactions. To facilitate this process a standard method of transmitting the data between entities was developed. The Security Rule protects this data, as well as other electronic health information to ensure its confidentiality, integrity, and availability.
4) When people hear the word HIPAA they usually think about privacy. This is because the HIPAA Privacy Rule is the most visible rule to the average beneficiary.
Complying with the HIPAA law is a balance between ensuring we protect the confidentiality of our patient/ beneficiary Protected Health Information (PHI), while at the same time, providing “line” commanders with the necessary information to ensure they know the fitness for duty and ability to perform the military mission of their units in this time of war.
The implementing DoD regulation is DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 2003
What MTF policies and procedures should be established:
Establish an approved roster of Commanders and his/her designees who have access to HIPAA PHI on their behalf
Screen release so that only the “minimum necessary” is released. For example, a clinical summary is appropriate rather than releasing all or parts of the medical record.
The MTF has to account for these disclosures.
MCA DOES NOT apply to dependents and retirees
1) The Medical Group must document each instance in which it discusses or provides health outside the Covered Entity. The individual to whom the information pertains has a right to know who received the information and the purpose of the communication. The Medical Group HIPAA Privacy Officer maintains a centralized log of all disclosures, which includes:
- The date of the disclosure
- The name of the entity or person who received the protected health information and, if known, the address
- A brief description of the protected health information disclosed
- A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure
2) The Medical Group does not have to account for disclosures...
- …for treatment, payment, or health care operations;
…for notification of, or to persons involved in an individual’s health care or payment for health care
…for disaster relief
…for facility directories
…for a limited data set
…for national security or intelligence purposes
- …to the individual
- …to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody
- …when authorized by the individual
1) The Privacy Rule applies to all forms of health information; electronic, written, and oral communications.
2) Determining who is and is not a covered entity subject to HIPAA is not as simple as it may sound. There are individuals in the healthcare industry that are NOT subject to HIPAA because they do not meet the definition of a covered entity. Likewise, there are other individuals and organizations with access to health information that do NOT have to comply with HIPAA. Some of these may include:
- Life insurance companies
- Workers compensation carriers
- Schools (education records are covered by other rules)
- Certain state agencies
3) As described above, HIPAA does not apply to individuals and organizations that do not meet the definition of a covered entity. For example, Line of the Air Force (i.e. non-medical) personnel do not meet the definition of a covered entity, and therefore are NOT subject to the HIPAA Privacy Rule
4) For purposes of this presentation it is important to understand everyone affiliated with the Air Force Medical Service, from the personnel at your local medical group to the staff at the Surgeon General’s office fall under the umbrella of HIPAA
5) The Medical Group develops local policies and procedures to implement the requirements of HIPAA
- The Challenge: Develop business practices that strike a balance between your “need-to-know” and the protection of the individual’s privacy rights
6) Workforce within the MTF includes all military personnel, civil service personnel, contractors, and even volunteers at your local Medical Group must receive extensive HIPAA training
7) Criminal penalties can apply to an individual, but civil penalties only apply to the covered entity. Civil and criminal penalties have been imposed within civilian healthcare entities, but such penalties have not been imposed within the AFMS and it is unclear how these penalties would apply to the AFMS
1) This principle of “Minimum Necessary” also applies within the covered entity. Even medical personnel can only access information needed to perform their job, and only in the amount necessary to accomplish the task at hand, although providers are not bound by minimum necessary. To ensure compliance with these requirements the Medical Group is required to have policies and procedures in place to identify individuals or groups of individuals with access to health information and the types of information they may access; this is known as “role-based-access.” Members of the Medical Group may not accesses health information without a legitimate need, nor may they accesses information in an amount beyond the minimum necessary to accomplish the permitted use or disclosure.
2) When requesting information from the Medical Group you need to keep in mind they can only provide the information in the Minimum Necessary amount required to properly address your need for the information.
Example: A member of your organization has been placed on restricted activities due to a complication of pregnancy, and must remain on desk duty until delivering the baby. You require this information in order to make a fitness for duty determination and evaluate how the individual’s ability to perform her duties may be affected. You do NOT need to know what the specific complication is in order to make the determination, and if the medics divulged this information without justification, it would exceed the Minimum Necessary amount of information.
NOTE: When the MTF provides PHI to the Active Duty member’s commander, it is the MTF that risks a HIPAA violation should an Active Duty member complain to HHS, and it is the MTF that could be held accountable for the violation, not the commander or any organization outside the MTF.
Disclosure; DoD 6025.18-R, DL1.1.8
Health Information; DoD 6025.18-R, DL1.1.15
- You can see by this definition that virtually everything in the medical community is “health information”
Individually Identifiable Health Information; DoD 6025.18-R, DL1.1.20
- Even removing names from information is not always enough to prevent it from being “identified”
Protected Health Information; DoD 6025.18-R, DL1.1.28
- Once health information is linked to an individual the requirement for the covered entity to safeguard it under HIPAA takes effect
Minimum Necessary; DoD 6025.18-R, C8.2
- As the name implies, the medics cannot provide information beyond the minimum necessary (least amount) necessary to achieve the purpose of the disclosure
An individual (with the exception of inmates) has a right to receive Notice (commonly referred to as a “Right to Notice”) of Privacy Practices (NOPP) of the uses and disclosures of protected health information (PHI) that may be made by the MDG, of individual’s rights as afforded under the Health Insurance Portability and Accountability Act (HIPAA) and our legal duties and privacy practices related to the use and disclosure of PHI. The MHS NOPP is issued through the TRICARE Management Activity (TMA).
The “Acknowledgement of Military Health System Notice of Privacy Practices” health record label will be adhered to the lower centered portion of the backside jacket of the Outpatient Health Record and the Dental record
Monthly inspections of medical/ dental records for NOPP compliance will be conducted and reported to the appropriate committee. This inspection will include a sample size of records that 1) have / do not have a NOPP label on the record and 2) a sample size of records that 1) have / do not have a signed patients signature.
If the individual declines to acknowledge receipt of this notice, check box, “Patient/Representative” Declined to Sign”. MDG staff must initial the label.
1) DoD 5400.11-R, DoD Privacy Program. DL1.14. Personal Information. Information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual).
To facilitate your leadership of the HIPAA Program, ensure you are familiar with the HIPAA Privacy and Security Officers.
To facilitate your leadership of the HIPAA Program, ensure you are familiar with the main HIPAA Privacy and Security Officer roles and responsibilities.
Examples:
Misdirected fax documents containing PHI or PII information
Failing to properly secure documents when mailing or transporting PHI
Lost or stolen laptop with PII
Loss of a CD with PHI
Providing patients with another patients medical/ dental information
Sending emails containing PHI/ PII unencrypted
For an individual the harmful effects from lost, compromised, or stolen PHI can result in:
Identity theft
Medical identity theft
Substantial loss of time and money to repair damage to credit rating and medical and financial records
The requirement to make the US-CERT notification is found in DoD 5400.11-r and AFI 33-332. This is a line requirement under the DoD and AF Privacy Program. However, TMA will accept this same report to satisfy reporting requirements under HIPAA/HITECH