Health Care Information Portability and Accountability Act Passed in 1996 2 objectives 1) Ensure people could maintain health insurance between jobs (portability) 1) Which became COBRA 2) Ensure the security and confidentiality of patient information or PHI (accountability) 2) Establish standard transactions for exchanging health care data (accountability)
RuleDefinitionCompliance Deadline Transactions and Code Sets 9 encounter related transactions diagnostic, therapeutic, and treatment codes October 16, 2003 Health Claims AttachmentsTBD Identifiers Employer Identifier StandardJuly 30, 2004 National Provider Identifier Standard or NPIMay 23, 2007 Health Plan Identifier StandardTBD Individual Identifier StandardTBD PrivacyThe ability to control who is authorized to access PHI. The right of individuals to keep information about themselves from being disclosed. April 14, 2003 SecurityThe ability to control access to, and prevent PHI from accidental or intentional disclosure to unauthorized persons; and from alteration, destruction, or loss. April 20, 2005
What is Protected Health Information (PHI)? Any individually identified health information including: demographic information that relates to the individual's past, present, or future physical or mental health condition or any other identifying information that can be used to identify the individual. The following identifiers are considered PHI and must be protected: Names Address (including zip code) Dates (birth, admission, discharge, death) Telephone numbers Fax numbers addresses Social security numbers Medical record numbers
Health plan beneficiary numbers Account numbers Certificate/License numbers Vehicle identifiers and serial numbers (including license plate) Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) addresses Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images; and Any other unique identifying number, characteristic, or code.
Under the Privacy Rule, PHI may be used and disclosed without patient written authorization for the purposes of treatment, payment, and health care operations. There are other situations in which information may be used or disclosed without the patient's authorization. Including: Workers Compensation Law Enforcement Purposes Victims of Abuse Health Oversight Activities Public Health Activities
In February 2009, the Health Information Technology for Economic and Clinical Health ("HITECH") ACT was enacted as part of the American Recovery and Reinvestment Act of 2009 ("ARRA"). HITECH made significant changes to HIPAA's administrative simplification provisions pertaining to privacy and security, including notifying individuals (and in some instances, media outlets) when there has been a privacy/security breach.
Under the HITECH regulations, a "breach" is the unauthorized acquisition, access, use or disclosure of PHI that compromises the security and privacy of the PHI. "Compromise the security and privacy of the PHI" means that the breach poses a significant risk of financial, reputational or other harm to the individual.
ViolationEach ViolationMultiple Violations in same year Violations occurred without the knowledge of covered entity and by exercising reasonable diligence would not have known it violated the HIPAA Privacy Rule $100-$50,000$1,500,000 Violations due to reasonable cause$1,000 to $50,000$1,500,000 Violations due to willful neglect but are corrected within 30 days $10,000 to $50,000 $1,500,000 Violations due to willful neglect and are not corrected $50,000$1,500,000
ANYONE CAN FILE! - Anyone can file a complaint alleging a violation of the Privacy, Security or Breach Notification Rules. We recommend that you use the OCR Complaint Portal or the OCR Health Information Privacy Complaint Form Package. You can also request a copy of this form from an OCR regional office. If you need help filing a complaint or have a question about the complaint or consent forms, please e- mail OCR at HIPAA PROHIBITS RETALIATION - Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR , or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR ; (g) Maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR ; (h) To the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and (i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
Laptops Lost, stolen, loaned, unsecured, viruses Faxes Shot in the dark Passwords 10 most common passwords of 2013 2. password 4. qwerty 5. abc123 9. iloveyou 10. adobe123
Unlocked workstations ing documents Wireless Antivirus/MS Updates Text messages Forwarding corporate to personal accounts Smart phones Audit logs
Patient Portals Passwords generated from EMR Must be registered patient to have account Password protecting documents in Built into MS Word, MS Excel Encrypted PDFs WinZip password protection Guest wireless disclaimers
As of June , more than 1,000 breaches affecting more than 500 patients each – have been reported to the Department of Health & Human Services. Healthcare "is being aggressively and specifically targeted," according to Eric Perakslis, former CIO and chief scientist at FDA To date, nearly 39 million people have had their PHI compromised in HIPAA privacy or security breaches according to data from the Department of Health and Human Services.
HIPAA simplification: HITECH: ARRA: ACA: OCR: DHHS: