HIPAA Health Insurance Portability and Accountability Act

HIPAA: The Law Health Insurance Portability and Accountability Act –Signed into federal law in 1996 –Established standards for the use and disclosure of PHI US Department of Health and Human Services –Responsible for creating regulations –Office of Civil Rights responsible for enforcement

HIPAA: Three Parts Standards for electronic exchange of health information –Rules governing transfer of health information between organizations Privacy of health information –Rules to protect the privacy of health information Security of health information –Rules to protect against threats, hazards, or unauthorized access to health information

Privacy Vs. Security Privacy – an individual’s rights to control access and disclosure of their protected or individually identifiable health care information (IIHI) –Establish authorization requirements –Establish administration requirements –Establish individual rights –Establish regulations for use or disclosure of Protected Health Information (PHI) Security – an organization’s responsibility to control the means by which such information remains confidential –Administrative Procedures –Physical Safeguards –Technical Security Services –Technical Security Mechanisms

Relationship between Privacy and Security There is a direct relationship between privacy and security –Privacy is the ‘what’ and often the ‘why’ … Security is the ‘how’ –Security is the structure established to protect IIHI –Security is awareness and education addresses ‘what’ is being protected

Definitions Protected Health Information (PHI) –Individually Identifiable Health Information (IIHI) –Electronic, paper, oral –Created or received by a health care provider, public health authority, employer, school or university –Applies to health information of living and deceased

Individually Identifiable Health Information (IIHI) Any information that is: –Created or received by a health care provider, health plan, employer, or health care clearinghouse; and –Relates to the physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual, and –Identifies or may be used to identify an individual.

IIHI - Data elements that make health information individually identifiable include: –Name –Street address, city, county, zip code –Employer –Relatives’ names –Date of birth –Health plan beneficiary number –Vehicle id’s and serial numbers –Telephone/fax numbers – , URL’s, and IP addresses/numbers –Social Security numbers –Medical record number –Voice/fingerprints –Photos –Any other unique identifying number, characteristic, or code

PHI Safeguards PHI displayed on electronic devices, such as computer screens, must not be readily visible to unauthorized individuals. Unattended devices with access to PHI must be in a state where PHI is not accessible or visible to unauthorized individuals. –This could be accomplished by: Physical access restrictions (i.e. a locked room) Screen lock Password protected screen saver

Definitions Minimum necessary –Sharing only the minimum amount necessary to accomplish the specific purpose of the use or disclosure. Exceptions –Release of information to other health care providers involved in the patient’s treatment –De-identified information - health information that does not contain any elements that have the potential to identify the Individual. De-identified information is not Protected Health Information.

Definitions Covered Entity –Health care provider who transmits any health information in electronic form in connections with HIPAA regulations (e.g., SCDHHS) Business Associate –A person or entity who provides certain functions, activities, or services for or to a covered entity (e.g., Enterprise Applications)

HIPAA Penalties Civil Penalties –Up to $100 per violation –Up to $25,000 per person, per year, per standard Criminal Penalties –Improperly obtaining or disclosing health information –Up to $50,000 fine and/or 1 year imprisonment –If under false pretenses, $100,000 and/or 5 years –If intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm: $250,000 and/or 10 years

HIPAA TRAINING SCDHHS training –G:\ISD\HIPAA\SC HIPAA Split Files\scdhhstrainingtts.htm –Download Authorware if needed Separate signature page

HIPAA TRAINING You Are Almost Finished! –Go to link below, print the form and using an ink pen, complete the Date, Employee Name, Signature and User ID Fields. –HIPAA Training Certification Signature FormHIPAA Training Certification Signature Form

MORE INFORMATION