Chapter 11 by Dee McGonigle, Kathleen Mastrian, and Nedra Farcus Overview of Health Insurance Portability and Accountability Act (HIPAA) of 1996

Key Terms Defined American National Standards Institute (ANSI) Center for Medicare and Medicaid Services (CMS) Confidentiality Consequences American National Standards Institute (ANSI) -An organization dedicated to promoting consensus on norms and guidelines related to the assessment of health agencies. Center for Medicare and Medicaid Services (CMS) - The largest health insurer in the U.S., particularly for home healthcare services and for the elderly healthcare services received under Medicare. Confidentiality -Safeguarding all personal information by ensuring that access is limited to only those who are authorized. Outcomes or products resulting from our decision choices.

Key Terms Defined Electronic Data Interchange (EDI) Electronic Health Record (EHR) Extensible Markup Language (XML) Gramm-Leach-Bliley Act (GLBA) Electronic Data Interchange (EDI) - Specific set of standards for exchanging information between/among computers (computer to computer). Electronic Health Record (EHR) -A data warehouse or repository of information regarding the health status of a client, replacing the former paper-based medical record; it is the systematic documentation of a client’s health status and healthcare in a secured digital format, meaning that it can be processed, stored, transmitted and accessed by authorized interdisciplinary professionals for the purpose of supporting efficient, high quality healthcare across the client’s healthcare continuum; (also known as an Electronic Medical Record):  An electronic health or medical record is a computer-based patient medical record that can be used to collect and look up patient data by physicians or health professionals at various locations such as doctor’s offices or hospitals.  The record includes information such as patient problems, medications, allergies, laboratory results, etc. (Certification Commission for Healthcare Information Technology [CCHIT], 2007). Extensible Markup Language (XML) - Began as a simplified subset of Standard Generalized Markup Language (SGML); major purpose is to facilitate the exchange of structured data across different information systems especially via the Internet. It is considered an extensible language since it permits its users to define their own elements allowing customization to enable purpose specific development. Gramm-Leach-Bliley Act (GLBA) - Is federal legislation in the United States to control how financial institutions handle the private information they collect from individuals.

Key Terms Defined Health Information Portability and Accountability Act (HIPAA) Health Information Technology (HIT) Health Level 7 (HL7) Information Technology (IT) Health Information Portability and Accountability Act (HIPAA) - Signed into law by President Clinton in 1996. Hellerstein (1999, p1) summarized the intent of the Act as follows, to: curtail health care fraud and abuse, enforce standards for health information, guarantee the security and privacy of health information and assure health insurance portability for employed persons. Health Information Technology (HIT) - Refers to the means (devices and methods) necessary to maximize the acquisition, storage, retrieval and use of health information. Health Level 7 (HL7) - Level Seven in HL7’s name means the “highest level of the International Standards Organization's (ISO) communications model for Open Systems Interconnection (OSI) - the application level. The application level addresses definition of the data to be exchanged, the timing of the interchange, and the communication of certain errors to the application. The seventh level supports such functions as security checks, participant identification, availability checks, exchange mechanism negotiations and, most importantly, data exchange structuring” (¶ 5); HL7 (n.d.) “is one of several American National Standards Institute (ANSI) -accredited Standards Developing Organizations (SDOs) operating in the healthcare arena” ¶ 1). Their mission states that “HL7 provides standards for interoperability that improve care delivery, optimize workflow, reduce ambiguity, and enhance knowledge transfer among all of our stakeholders, including healthcare providers, government agencies, the vendor community, fellow SDOs and patients” (¶ 5.) Information Technology (IT) - Use of hardware, software, services, and supporting infrastructure to manage and deliver information using voice, data, and video or the use of technologies from computing, electronics, and telecommunications to process and distribute information in digital and other forms; anything related to computing technology, such as networking, hardware, software, the Internet, or the people that work with these technologies. Many hospitals have IT departments for managing the computers, networks, and other technical areas of the healthcare industry.

Key Terms Defined International Standards Organization (ISO) National Provider Identifier (NPI) Open Systems Interconnection (OSI) Privacy International Standards Organization (ISO) - An international network supporting collaboration among the standards developing agencies of numerous countries for the development of consistent standards in a multitude of industries to support a global economy. ISO is best known in the technology industries for the ISO 9000 standards. National Provider Identifier (NPI) - A standard 10 position unique identifier (code) mandated by HIPAA legislation and designed to replace previous provider identifiers. Open Systems Interconnection (OSI) - Was an attempt to standardize networking by ISO. HL7 addresses the distinct requirements of the systems in use in hospitals and other facilities, is more concerned with application than the other levels and user authentication and privacy are considered (Webopedia, 2008). Privacy - An important issue related to personal information, about the owner or about other individuals, that is included for sharing with others electronically and the mechanisms that restrict access to this personal information.

Key Terms Defined Protected Health Information (PHI) Regional Health Information Organizations (RHIO) Rights Sarbanes Protected Health Information (PHI) - Any and all information about a person’s health that is tied to any type of personal identification. Regional Health Information Organizations (RHIO) -A regional network of health care organizations and providers who exchange information related to the health of the population. The goal is to work together without duplication to provide cost effective health care and promote community well-being. Rights - Privileges; right to privacy, confidentiality, etc. Sarbanes-Oxley Act (SOX) - Legislation that was put in place to protect shareholders as well as the public from deceptive accounting practices in organizations.

Key Terms Defined Security Standards Developing Organizations (SDOs) Standard Generalized Markup Language (SGML) Security - Protection from danger or loss; in informatics, you must protect against unauthorized access, malicious damage, incidental and accidental damage, and enforce secure behavior and maintain security of computing, data, application, information and networks. Standards Developing Organizations (SDOs) - Guidelines, standards and rules to help healthcare entities collect, store, manipulate, dispose of and exchange secure PHI. Many SDOs are working to help develop standards. HIPAA guarantees the security and privacy of health information and curtails health care fraud and abuse while enforcing standards for health information. Standard Generalized Markup Language (SGML) - Metalanguage, markup language for documents; XML began as a simplified subset of Standard Generalized Markup Language (SGML).

Overview of HIPAA The Health Insurance Portability and Accountability Act (HIPAA) The Office for Civil Rights (OCR) Security and Privacy Implementation Problem The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton in 1996. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation. Guaranteeing the security and privacy of health information has been the focus of numerous debates. One of the biggest stumbling blocks to implementation of comprehensive standards for privacy was the associated cost.

Overview of HIPAA Administrative Simplification Privacy Requirements 2002 US Department of Health and Human Services Electronic Transaction and Code Standards The Administrative Simplification portion of this law is intended to decrease the financial and administrative burdens by standardizing the electronic transmission of certain administrative and financial transactions. The Privacy Requirements went into effect on April 14, 2003 and limit the release of protected healthcare information (PHI) without the patient’s knowledge and consent. According to the US Department of Health and Human Services (2002), there are certain rights provided to patients by the Privacy Rule. On October 16, 2003 the Electronic Transaction and Code Set Standards became effective.

Overview of HIPAA Security Requirements Needed Safeguards HIPAA was the first of it’s kind As information increases, need will prevail The Security Requirements went into effect on April 21, 2005 and requires the covered entities to put safeguards into place that protect the confidentiality, integrity and availability of protected health information when stored and transmitted electronically. Safeguards need to be in place to control access whether the data and information are at rest, residing on a machine or storage medium, being processed or in transmission such as being backed up to storage or disseminated across a network. HIPAA, with its privacy, confidentiality and security regulations became the first national rules for protecting the patient’s health information. As information becomes more prevalent in electronic formats, it will be easier to collect, store, monitor, track, exchange, disseminate and aggregate PHI across covered entities including healthcare networks and data repositories.

Overview of HIPAA HIPAA Standards “The American National Standards Institute (ANSI) X12N Health Level 7 (HL7) Standards Organizations ISO The HIPAA standards are designed to smooth the path and actually increase the amount of electronic transmissions. “The American National Standards Institute (ANSI) X12N and Health Level 7 (HL7) Standards Organizations worked together to develop an electronic standard for claims attachments to recommend to HHS” (Spencer and Bushman, 2006, ¶ 2). Overview of HIPAA HL7 was initially associated with HIPAA in 1996 through the creation of a Claims Attachments Special Interest Group charged with standardizing the supplemental information needed to support healthcare insurance and other e-commerce transactions. The HL7 mission is supported through two separate groups, the XML Special Interest Group and the Structured Documents Technical Committee. ISO is “a non-governmental organization: its members are not, as is the case in the United Nations system, delegations of national governments.

United States and Beyond The Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) The Gramm-Leach-Bliley Act (GLBA) is federal legislation in the United States to control how financial institutions handle the private information they collect from individuals. Sarbanes-Oxley Act (SOX) was legislation that was put in place to protect shareholders as well as the public from deceptive accounting practices in organizations.

HIPAA HIPAA Privacy Rule Covered Entities HIPAA Privacy Rule is intended to enhance the rights of individuals. This rule provides them with greater access and control over their PHI. They can control its uses, dissemination and disclosures. Covered entities must not only establish a required level of security for PHI but also sanctions for employees who violate their privacy policies and administrative processes for responding to patient requests regarding their information.

Thought Provoking Questions Why is it important to establish patient ownership of the health care record? 2. What are the potential negative consequences of the proposed right of amendment and correction of healthcare records by patients?

Thought Provoking Questions 3. One of the largest problems with healthcare information security has always been inappropriate use by authorized users. How will the proposed regulations help to curb this problem? 4. How do you envision HL7 and HIPAA evolving in the next decade?

Thought Provoking Questions Imagine that you are the designated Privacy Officer in a healthcare institution. What types of monitoring procedures would you develop? What would you include in your sanctions for violations policy?

Thought Provoking Questions 7. How would you address the following? a. Tracking each point of access of the patient’s database including who entered the data b. Nurses in your hospital have an access code that only gives them access to their Unit’s patients. A visitor accidently comes to the wrong unit looking for a patient and asks the nurse to find out what unit the patient is on.