Presentation hippa

HIPAA, PRIVACY AND

SECURITYTHE BASICS

Miguelina Platt

ST. JOSEPH”S COLLEGE

TOPICS

What are privacy and security all about ?

What is confidentiality?

How to protect confidential information?

What is HIPAA?

Definitions Privacy Rule: foundation of federal protection for

personal health information.

Confidentiality: set of rules that limits access or places

restrictions on certain types of information.

Authorization: granting permission .

Breach Confidentiality: to break an agreement

Source:

www.wikipedidia.com

HIPAA

Health Insurance Portability

and Accountability Act The first federal legislation (effective April 14, 2003), that

attempts to protect a patient’s right to privacy, and the security and access of personal medical information.

HIPAA (Public Law 104-191) was enacted into law by congress in 1996. Enacted to do the following:

To ensure the the portability of health insurance

To prevent health health care fraud and abuse

Source:

www.hipaa.org

Continued:

To enforce health information standards that will improve the efficiency of health care delivery, simplify the exchange of data between health care entities, and reduce costs.

To reduce the paperwork associated with processing health care transactions.

Source:

Hebda, T. & Czar, P.(2009) Handbook of informatics for nurses & healthcare professionals.

HIPAA Privacy ActEstablishes a foundation of Federal protection for personal

health information, carefully balanced to avoid creating

unnecessary barriers to the delivery of quality health care.

The Act allows health care providers to access information

necessary for payment of services with the consent of the

patient. The Act imposes certain restrictions and limitations to

provide further protection to the patient.

Source:

www.hhs.org/hipaa

HIPAA IS TO PROTECT

EVERYONE

Benefits of the Privacy RuleImposes restrictions on the use/disclosure of personal health information.

Gives patients greater protection of their medical records.

Provides patients with greater peace of mind related to the security of their health information.

Source:

www.hhs.org/privacy/hipaa

PATIENT SECURITY Patient data can be stripped of identifiers that might otherwise be

used to identify that individual.

Department of Health & Human Services has proposes 19 identifiers for removal such as:

Name

Address

Telephone number

Date of Birth

Source

www.hhs.org/identifiers/hipaa

INFORMATION

SECURITYInformation security provides 3 important qualities:

1. Confidentiality – No ones should have access to the

information unless they are authorized and prove a

need for the information.

2. Integrity- The information can be trusted, and it has not

been changes or deleted by accident or through

tampering.

3. Availability- The important information is there when it

is needed.

Confidentiality Deals with communication or information given to you

without fear of disclosure.

Legitimate Need to Know and Informed Consent

It also refers to the duty the health care professional has to protect the secrecy of information about a patient’s condition, regardless of the source.

Source:

www.hhs.org/hipaa.

Protected Health Information What is protected health information (PHI)?

When a patient gives personal health information to a healthcare provider, that becomes

Protected Health Information

PHI

www.hipaasurvivalguide.com/

PROTECTED HEALTH

INFORMATION PHI Includes:

Verbal information

Information on paper

Recorded information

Electronic information (faxes, e-mails, texts)

Protected Health Information Examples of patients information

Patients name or address

Social Security numbers

Tax ID numbers

Health care providers notes

Billing information

SURF WITH CARE WHEN

ACCESSING PHI’S!

Protections for Health

Information Physical Barriers: Computer terminals not in public spaces.

Administrative: Policies and procedures in place for release of patient information.

Staff: Keeping passwords confidential and not letting anyone else use your password.

Source:

J. DeMoore, R.N., personal communication, Oct. 23, 2014.

Practical Ways to Keep

Information Safe Never discuss a patient in any public areas.

Always put confidential papers away when leaving a work station.

Not leaving confidential papers on fax machines or in public areas.

Dispose of confidential papers in approved shredders.

Never discuss confidential health information with family members

Source:

J. DeMoore, R.N., personal communication, Oct. 23, 2014.

Notice of Privacy Practices Patients have the right to adequate notice concerning the

use/disclosure of their PHI.

The Notice of Privacy Practices must contain the patient’s

rights and the covered entities’ legal duties.

Patients are required to sign a statement that they were

informed and understand the privacy practices.

Source:

www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities.

ACCOUNTABILITY

Accountability Principle: The Principles in the Privacy and Security Framework emphasizes that compliance with, and appropriate mechanisms to report and mitigate non-compliance with, the Principles are important to building trust in the electronic exchange of individually identifiable heath information.

Source:

The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment.

When Can Disclosure be

made of PHIThe personal health information can be disclosed for

several reasons:

1) For treatment, billing and payment, health care

management.

2) With an informed authorization from the patient.

3) When giving patient access to their own PHI.

Source:

www.hhs.org/hipaa.

Minimum NecessaryAccording to the HIPAA guidelines a covered entity must develop policies and procedures that reasonably limit disclosures of and requests for protected health information.

The entity is also required to develop access policies that limit who may access the PHI. Use of the PHI is limited to the minimum amount of health information required to do a specific job.

Source:

www.hhs.org/hipaa.

Practical Minimum Necessary

Know who needs to access the PHI.

Know what portion of the PHI is needed for patient care.

Provide access only to those who need to access the information to care for the patient.

Source:

J. DeMoore, R.N., Personal Interview. Oct 23, 2014.

Not Everyone Needs Access!

Unauthorized PHI DisclosuresPHI can be disclosed without the consent of the patient when:

1) There is a need to report abuse, or neglect.

2) To organ donation organizations.

3) For public health safety concerns related to disease prevention or control.

Patients though can request a list of who has viewed their PHI but they must sign a consent for it.

Source:

www.hhs.gov/ocr/privacy/hipaa

SECURITY DANGERSFires, earthquakes, power outages even burst water pipes can damage confidential paper records and computer systems. Technical systems may crash, or they can catch a computer “virus”, also potentially damaging information.

However the biggest threats come from people, both insiders and outsiders. Careless conversations or curiosity can lead to inappropriate disclosure of PHI.

Deliberate actions such as using someone else’s password without their knowing to obtain someone else’s PHI or alter data or even copying data for identity theft.

Source:

www.foxgrp.com/blog/hipaa-breach.

Security Applies to All!!

Health Information Technology for

Economic and Clinical Health Act

HITECH

HIPPA needed to be updated to

reflect the increase in identity theft

so rules were added to include

protections against it.

HITECH Federal Law, part of the Reinvestment and recovery Act (ARRA)

enacted Sept. 2009.

Applies to covered health care entities. Many changes to privacy and security laws were added.

Increases penalties for privacy and security breaches.

Requires notifications to the patient and the Department of Health and Human Services of information breaches.

Provides for increased penalties and prosecution of breaches in privacy or security.

Source:

www.hipaasurvivalguide.com/hitech-act-13400.php

MitigationImproper use or disclosure of a PHI requires penalties or mitigation of harm that it caused.

1) Covered entities need to identify the cause of the violation and amend privacy policies and technical procedures to assure the breach does not reoccur.

2) They must notigy the individual of the violation if the individual needs to take steps to avoid the harm, as in the case of identity theft.

3) The network must be investigated to prevent further leakage of information.

Source:

www.hipaasurvivalguide.com

Patients Rights Patients have a right to confidentiality of all information that

is provided to the healthcare professional and institution caring for them.

Healthcare professionals have a duty to the patient to secure all information at all times and to resolve any breaches promptly.

The Hospital has a duty to provide the patient with confidentiality, privacy and security. They must ensure that records are protected against loss, tampering, destruction or unauthorized use.

Source:

www.jointcommission.org

Paper or Electronic, Security

& Privacy Always!