an overview to hipaa (health insurance portability and accountability act) accounts &...

AN OVERVIEW TO HIPAA (Health Insurance Portability

and Accountability Act)

Kelly Handerhan, Instructor

• Why, What, How and Whom?

• Why do we need HIPAA?

• What is HIPAA

• What is PHI?

• Privacy Rule

• NOPP (Notice of Privacy Practices

• Security Rule

• How Does HIPPA Help us Protect PHI?

• Physical

• Administrative

• Technical Safeguards

• To Whom does HIPAA apply?

• Covered Entities

• Business Associate

• Subcontractors

• Can PHI be shared?

• To the Individual patient

• Treatment

• Payment

• Health care operations activities

HIPAA OVERVIEW AGENDA

HIPAA—WHY, WHAT, HOW, AND WHOM?

• WHY?

• Prior to 1996 there was no legislation restricting the manner in which a patient’s healthcare related information was shared, distributed, stored, or protected

• To Protect the Individual

• Protecting personal privacy is to protect the interests and dignity of individuals

• To Benefit Society through furthering research ethically

• Protecting patients involved in research from harm and preserving their rights is essential to ethical research

HIPAA—WHY, WHAT, HOW AND WHOM?

• HIPAA

• Health Insurance Portability and Accountability Act

• Federally enacted in 1996 and strictly enforced since 2003

• Protects PHI (Protected Health Information)

• Two Main Elements

• Privacy Rule

• Security Rule

WHAT IS PROTECTED HEALTH INFORMATION (PHI)?

• Protected Health Information

• Health information, including demographic information

• Relates to an individual’s physical or mental health or the provision of or payment for health care

• Identifies the individual

EIGHTEEN ELEMENTS CONSIDERED PHI

1. Names

2. All geographical subdivisions

smaller than a State, including

street address, city, county,

precinct, zip code, etc.

3. All elements of dates (except year)

for dates directly related to an

individual, including birth date,

admission date, discharge date,

date of death

4. Phone numbers

5. Fax numbers

6. Electronic mail addresses

7. Social Security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account Numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers,

including license plate numbers Phone

numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators

(URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger

and voice prints

17. Full face photographic images and any

comparable images

18. Any other unique identifying number,

characteristic, or code (note this does

not mean the unique code assigned by

the investigator to code the data

HIPAA—THE PRIVACY RULE

• Also known as Standards for Privacy of Individually Identifiable Health Information

• Issued by the Department of Health and Human Services (HHS) as a set of national standards for the protection of certain health information

• The Privacy Rule standards address the use and disclosure of individuals’ health information—called “Protected Health Information” (PHI) by organizations subject to the Privacy Rule — called “Covered Entities,”

• Provide assurance that individuals’ health information is properly protected

• Must also Consider the necessary flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/



HIPAA—THE PRIVACY RULE AND NOTICE OF PRIVACY

PRACTICES

• The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of their health plans their health care providers, as well as to be informed of their privacy rights with respect to their personal health information

• The NOPP must be provided to patients who request this information and post prominently on its website

• Notice of Privacy Practices, must in plain language:

• Provide adequate notice of how a covered entity may use and disclose PHI

• Indicate his/her rights and the covered entity’s obligations in relation to that information

HIPAA—THE SECURITY RULE

• Protect the privacy of individuals’ health information

• Allow enough flexibility to allow for growth and new technologies

• Requires appropriate administrative, physical and technical

safeguards to ensure the confidentiality, integrity, and security of

electronic protected health information.

FOUR BASIC REQUIREMENTS

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;

2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;

3. Protect against reasonably anticipated, impermissible uses or disclosures; and

4. Ensure compliance by their workforce.4

PRIVACY VS. SECURITY—WHAT’S THE DIFFERENCE?

• The Privacy rule focuses on the right of an individual to control the USE of his or her personal

information. Protected health information (PHI) should not be divulged or used by others against their

wishes.

• The Privacy rule covers the confidentiality of PHI in all formats including electronic, paper and oral.

• Confidentiality is an assurance that the information will be protected from unauthorized disclosure. The physical security of PHI in ALL FORMATS is an element of the Privacy rule.

• The Security rule focuses on administrative, technical and physical SAFFEGUARDS specifically as

they relate to ELECTRONIC. Protection of ePHI data from unauthorized access, whether external or

internal, stored or in transit, is all part of the security rule. Typically ePHI is stored in:

• Computer hard drives

• Magnetic tapes, disks, memory cards

• Any kind of removable/transportable digital memory media

• All transmission media used to exchange information such as the Internet, leased lines, dial-up, intranets, and private networks

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CB4QFjAAahUKEwiczNmwmKbHAhXQw4AKHdo8CJU&url=http%3A%2F%2F

www.privacy.wv.gov%2Ftips%2FPages%2FHIPAAPrivacyHIPAASecurity.aspx&ei=D5_MVdyIL9CHgwTa-aCoCQ&usg=AFQjCNFAggHywkj9NKhUecyQhUAdrzIdHw&sig2=9K-

mpiiXHCdXiRWyMyTSzQ&bvm=bv.99804247,d.cWw

HIPAA—WHY, WHAT, HOW, AND WHOM?

• The Security rule requires layers of protection to protect PHI

• Physical

• Administrative

• Technical

PHYSICAL SAFEGUARDS

• Facility Access and Control. A covered entity must limit physical

access to its facilities while ensuring that authorized access is

allowed.

• Workstation and Device Security. A covered entity must

implement policies and procedures to specify proper use of and

access to workstations and electronic media. A covered entity

also must have in place policies and procedures regarding the

transfer, removal, disposal, and re-use of electronic media, to

ensure appropriate protection of electronic protected health

information (e-PHI).

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html



ADMINISTRATIVE SAFEGUARDS • Security Management Process. As explained in the previous section, a covered entity must

identify and analyze potential risks to e-PHI, and it must implement security measures that

reduce risks and vulnerabilities to a reasonable and appropriate level.

• Security Personnel. A covered entity must designate a security official who is responsible for

developing and implementing its security policies and procedures.

• Information Access Management. Consistent with the Privacy Rule standard limiting uses and

disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to

implement policies and procedures for authorizing access to e-PHI only when such access is

appropriate based on the user or recipient's role (role-based access).

• Workforce Training and Management. A covered entity must provide for appropriate

authorization and supervision of workforce members who work with e-PHI. A covered entity

must train all workforce members regarding its security policies and procedures, and must have

and apply appropriate sanctions against workforce members who violate its policies and

procedures.19

• Evaluation. A covered entity must perform a periodic assessment of how well its security

policies and procedures meet the requirements of the Security Rule.




ADMINISTRATIVE SAFEGUARDS CONTINUED

• The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.

• A risk analysis process includes, but is not limited to, the following activities:

• Evaluate the likelihood and impact of potential risks to e-PHI;8

• Implement appropriate security measures to address the risks identified in the risk analysis;9

• Document the chosen security measures and, where required, the rationale for adopting those measures;10 and

• Maintain continuous, reasonable, and appropriate security protections. 11

• Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14

TECHNICAL SAFEGUARDS

• Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

• Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.

• Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.

• Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network




IF YOU DON’T NEED IT, DON’T STORE IT; IF YOU DO

NEED IT, PROTECT IT!

• Minimum Necessary. A covered entity must develop policies and procedures

that reasonably limit its disclosures of, and requests for, protected health

information for payment and health care operations to the minimum necessary.

• Principle of Least Privilege: A covered entity also is required to develop role-

based access policies and procedures that limit which members of its

workforce may have access to protected health information for treatment,

payment, and health care operations, based on those who need access to the

information to do their jobs. However, covered entities are not required to

apply the minimum necessary standard to disclosures to or requests by a

health care provider for treatment purposes.

GET CONSENT

• Consent. A covered entity may voluntarily choose, but is not

required, to obtain the individual’s consent for it to use and

disclose information about him or her for treatment, payment,

and health care operations. A covered entity that chooses to

have a consent process has complete discretion under the

Privacy Rule to design a process that works best for its

business and consumers. A “consent” document is not a valid

permission to use or disclose protected health information for a

purpose that requires an “authorization” under the Privacy Rule

(see 45 CFR 164.508),

NOTICE

• Notice. Any use or disclosure of protected health information for

treatment, payment, or health care operations must be

consistent with the covered entity’s notice of privacy practices. A

covered entity is required to provide the individual with adequate

notice of its privacy practices, including the uses or disclosures

the covered entity may make of the individual’s information and

the individual’s rights with respect to that information

HIPAA—WHY, WHAT, HOW AND WHOM?

• To whom does HIPAA apply?

• Many organizations use, collect, access, and disclose individually identifiable health information but may not be covered entities, and thus, will not have to comply with the Privacy Rule


• Health plans,

• Health care clearinghouses

• Health care providers

• Business Associates

• Subcontractors

HEALTHCARE PROVIDERS

• Health Plan – An individual or group plan that provides or pays the cost of medical care

• Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, that would facilitate the processing of health information received from another entity. Health Care Provider – A provider of Health care services

• Health Care – Care, services, or supplies related to the health of an individual, including

• (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body

• (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

http://privacyruleandresearch.nih.gov/pr_06.asp



BUSINESS ASSOCIATES

• A person or entity who, on behalf of a covered entity, performs

or assists in performance of a function or activity involving the

use or disclosure of individually identifiable health information,

such as data analysis, claims processing or administration,

utilization review, and quality assurance reviews, or any other

function or activity

• Persons or entities performing legal, actuarial, accounting,

consulting, data aggregation, management, administrative,

accreditation, or financial services to or for a covered entity




SUBCONTRACTORS

• Any entity that uses the PHI of Business Associate to Carry out

additional work for the business associate or covered entity

• A Business Associate Agreement must be in place between the

business associate and the subcontractor to protect the

confidentiality regarding all PHI


CAN PHI BE SHARED WITHOUT THE PATIENT’S

CONSENT?

• To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose protected health information, with certain limits and protections

• A covered entity may, without the individual’s authorization may share limited information:


• Treatment

• Payment


• Certain limitations to exactly what and how that information can be shared is further defined under the Policy Rule

THE INDIVIDUAL PATIENT

• Besides required disclosures, Covered Entities also may

disclose PHI to their patients/health plan enrollees

Examples:

• Health plans can contact their enrollees

• Providers can talk to their patients

TREATMENT

• “Treatment” generally means the provision, coordination, or

management of health care and related services among health

care providers or by a health care provider with a third party,

consultation between health care providers regarding a patient,

or the referral of a patient from one health care provider to

another.

• For example: A hospital may use protected health information

about an individual to provide health care to the individual and

may consult with other health care providers about the

individual’s treatment.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclosuresfortpo.html



PAYMENT

• “Payment” encompasses the various activities of health care providers to obtain payment or be

reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage

responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for

the provision of health care. In addition to the general definition, the Privacy Rule provides

examples of common payment activities which include, but are not limited to:

• Determining eligibility or coverage under a plan and adjudicating claims;

• Billing and collection activities

• Reviewing health care services for medical necessity, coverage, justification of charges, and the like

• Utilization review activities

• Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

• For example: A health care provider may disclose protected health information about an

individual as part of a claim for payment to a health plan.




HEALTHCARE OPERATIONS

• “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.

• Quality Assessment

• Underwriting

• Business Planning

• Legal or Medical Review

• For example: A health plan may use protected health information to provide customer service to its enrollees.




• Why, What, How and Whom?

• Why do we need HIPAA?

• What is HIPAA

• What is PHI?

• Privacy Rule

• NOPP (Notice of Privacy Practices

• Security Rule

• How Does HIPPA Help us Protect PHI?

• Physical

• Administrative

• Technical Safeguards

• To Whom does HIPAA apply?


• Business Associate

• Subcontractors

• Can PHI be shared?


• Treatment

• Payment


HIPAA OVERVIEW AGENDA

DISCLAIMER

• NOTE: This presentation is not and shall not be considered legal advice. The preceding information provided by Cybrary is general information regarding the Healthcare Information and Accountability Act. Please remember that for legal questions specific to your company, ensure you are working with your own legal counsel who can best represent your organization.

• For further information/details/clarification, visit the following references

• View the HIPAA document in its entirety (http://www.legalarchiver.org/hipaa.htm)

• View the HIPAA Administrative Simplification (http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf)

http://www.legalarchiver.org/hipaa.htm

http://www.legalarchiver.org/hipaa.htm

http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf



an overview to hipaa (health insurance portability and accountability act) accounts &...

Documents