(Health Insurance Portability and Accountability Act) AN OVERVIEW TO HIPAA (Health Insurance Portability and Accountability Act) Kelly Handerhan, Instructor
Hipaa Overview Agenda To Whom does HIPAA apply? Covered Entities Why, What, How and Whom? Why do we need HIPAA? What is HIPAA What is PHI? Privacy Rule NOPP (Notice of Privacy Practices Security Rule How Does HIPPA Help us Protect PHI? Physical Administrative Technical Safeguards To Whom does HIPAA apply? Covered Entities Business Associate Subcontractors Can PHI be shared? To the Individual patient Treatment Payment Health care operations activities
Hipaa—Why, What, How, and Whom? Prior to 1996 there was no legislation restricting the manner in which a patient’s healthcare related information was shared, distributed, stored, or protected To Protect the Individual Protecting personal privacy is to protect the interests and dignity of individuals To Benefit Society through furthering research ethically Protecting patients involved in research from harm and preserving their rights is essential to ethical research
Hipaa—Why, What, How and Whom? Health Insurance Portability and Accountability Act Federally enacted in 1996 and strictly enforced since 2003 Protects PHI (Protected Health Information) Two Main Elements Privacy Rule Security Rule
What is Protected health information (PHI)? Health information, including demographic information Relates to an individual’s physical or mental health or the provision of or payment for health care Identifies the individual
Eighteen elements considered phi Names All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, etc. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death Phone numbers Fax numbers Electronic mail addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account Numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Phone numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data
Hipaa—The Privacy rule Also known as Standards for Privacy of Individually Identifiable Health Information Issued by the Department of Health and Human Services (HHS) as a set of national standards for the protection of certain health information The Privacy Rule standards address the use and disclosure of individuals’ health information—called “Protected Health Information” (PHI) by organizations subject to the Privacy Rule — called “Covered Entities,” Provide assurance that individuals’ health information is properly protected Must also Consider the necessary flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
HIPaa—the privacy rule and notice of privacy practices The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of their health plans their health care providers, as well as to be informed of their privacy rights with respect to their personal health information The NOPP must be provided to patients who request this information and post prominently on its website Notice of Privacy Practices, must in plain language: Provide adequate notice of how a covered entity may use and disclose PHI Indicate his/her rights and the covered entity’s obligations in relation to that information
HIPAA—The Security Rule Protect the privacy of individuals’ health information Allow enough flexibility to allow for growth and new technologies Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Four Basic Requirements Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce.4
Privacy vs. security—What’s the difference? The Privacy rule focuses on the right of an individual to control the USE of his or her personal information. Protected health information (PHI) should not be divulged or used by others against their wishes. The Privacy rule covers the confidentiality of PHI in all formats including electronic, paper and oral. Confidentiality is an assurance that the information will be protected from unauthorized disclosure. The physical security of PHI in ALL FORMATS is an element of the Privacy rule. The Security rule focuses on administrative, technical and physical SAFFEGUARDS specifically as they relate to ELECTRONIC. Protection of ePHI data from unauthorized access, whether external or internal, stored or in transit, is all part of the security rule. Typically ePHI is stored in: Computer hard drives Magnetic tapes, disks, memory cards Any kind of removable/transportable digital memory media All transmission media used to exchange information such as the Internet, leased lines, dial-up, intranets, and private networks http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CB4QFjAAahUKEwiczNmwmKbHAhXQw4AKHdo8CJU&url=http%3A%2F%2F www.privacy.wv.gov%2Ftips%2FPages%2FHIPAAPrivacyHIPAASecurity.aspx&ei=D5_MVdyIL9CHgwTa-aCoCQ&usg=AFQjCNFAggHywkj9NKhUecyQhUAdrzIdHw&sig2=9K-mpiiXHCdXiRWyMyTSzQ&bvm=bv.99804247,d.cWw
Hipaa—Why, What, How, and Whom? The Security rule requires layers of protection to protect PHI Physical Administrative Technical
Physical Safeguards Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed. Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI). http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Administrative Safeguards Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures. Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access). Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.19 Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule. http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Administrative safeguards continued The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule. A risk analysis process includes, but is not limited to, the following activities: Evaluate the likelihood and impact of potential risks to e-PHI;8 Implement appropriate security measures to address the risks identified in the risk analysis;9 Document the chosen security measures and, where required, the rationale for adopting those measures;10 and Maintain continuous, reasonable, and appropriate security protections.11 Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14
Technical safeguards Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI). Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI. Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed. Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
If you don’t need it, don’t store it; If you do Need it, Protect it! Minimum Necessary. A covered entity must develop policies and procedures that reasonably limit its disclosures of, and requests for, protected health information for payment and health care operations to the minimum necessary. Principle of Least Privilege: A covered entity also is required to develop role- based access policies and procedures that limit which members of its workforce may have access to protected health information for treatment, payment, and health care operations, based on those who need access to the information to do their jobs. However, covered entities are not required to apply the minimum necessary standard to disclosures to or requests by a health care provider for treatment purposes.
Get Consent Consent. A covered entity may voluntarily choose, but is not required, to obtain the individual’s consent for it to use and disclose information about him or her for treatment, payment, and health care operations. A covered entity that chooses to have a consent process has complete discretion under the Privacy Rule to design a process that works best for its business and consumers. A “consent” document is not a valid permission to use or disclose protected health information for a purpose that requires an “authorization” under the Privacy Rule (see 45 CFR 164.508),
Notice Notice. Any use or disclosure of protected health information for treatment, payment, or health care operations must be consistent with the covered entity’s notice of privacy practices. A covered entity is required to provide the individual with adequate notice of its privacy practices, including the uses or disclosures the covered entity may make of the individual’s information and the individual’s rights with respect to that information
Hipaa—Why, What, How and WhoM? To whom does HIPAA apply? Many organizations use, collect, access, and disclose individually identifiable health information but may not be covered entities, and thus, will not have to comply with the Privacy Rule Covered Entities Health plans, Health care clearinghouses Health care providers Business Associates Subcontractors
Healthcare Providers Health Plan – An individual or group plan that provides or pays the cost of medical care Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, that would facilitate the processing of health information received from another entity. Health Care Provider – A provider of Health care services Health Care – Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. http://privacyruleandresearch.nih.gov/pr_06.asp
Business Associates A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity Persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity http://privacyruleandresearch.nih.gov/pr_06.asp
Subcontractors Any entity that uses the PHI of Business Associate to Carry out additional work for the business associate or covered entity A Business Associate Agreement must be in place between the business associate and the subcontractor to protect the confidentiality regarding all PHI http://privacyruleandresearch.nih.gov/pr_06.asp
Can PHI Be shared without the patient’s consent? To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose protected health information, with certain limits and protections A covered entity may, without the individual’s authorization may share limited information: To the Individual patient Treatment Payment Health care operations activities Certain limitations to exactly what and how that information can be shared is further defined under the Policy Rule
The individual Patient Besides required disclosures, Covered Entities also may disclose PHI to their patients/health plan enrollees Examples: Health plans can contact their enrollees Providers can talk to their patients
Treatment “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. For example: A hospital may use protected health information about an individual to provide health care to the individual and may consult with other health care providers about the individual’s treatment. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclosuresfortpo.html
payment “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to: Determining eligibility or coverage under a plan and adjudicating claims; Billing and collection activities Reviewing health care services for medical necessity, coverage, justification of charges, and the like Utilization review activities Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity). For example: A health care provider may disclose protected health information about an individual as part of a claim for payment to a health plan. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclosuresfortpo.html
Healthcare operations “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. Quality Assessment Underwriting Business Planning Legal or Medical Review For example: A health plan may use protected health information to provide customer service to its enrollees. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclosuresfortpo.html
Hipaa Overview Agenda To Whom does HIPAA apply? Covered Entities Why, What, How and Whom? Why do we need HIPAA? What is HIPAA What is PHI? Privacy Rule NOPP (Notice of Privacy Practices Security Rule How Does HIPPA Help us Protect PHI? Physical Administrative Technical Safeguards To Whom does HIPAA apply? Covered Entities Business Associate Subcontractors Can PHI be shared? To the Individual patient Treatment Payment Health care operations activities
disclaimer NOTE: This presentation is not and shall not be considered legal advice. The preceding information provided by Cybrary is general information regarding the Healthcare Information and Accountability Act. Please remember that for legal questions specific to your company, ensure you are working with your own legal counsel who can best represent your organization. For further information/details/clarification, visit the following references View the HIPAA document in its entirety (http://www.legalarchiver.org/hipaa.htm) View the HIPAA Administrative Simplification (http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/admin simpregtext.pdf)