The Health Insurance Portability and Accountability Act of Federal Law designed to protect sensitive information. HIPAA violations are enforced by the Department of Health and Human Services.
Virtually ALL health information, or protected health information (PHI) in any format, to include: Paper Electronic Oral
Social Security number Credit Card numbers Driver’s License Research data Computer passwords Individual identifiable health information Personal information
Health care providers provide them to patients. They describe how the HIPAA-covered entity uses and discloses health information.
The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of certain health information. The U.S Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Addresses the use and disclosure of individuals health information called “PHI” (protected health information) by covered entities subject to the Privacy Rule.
A covered entity is any person or organization that furnishes, bills or is paid for health care services in the normal course of the business. Pursuant to HIPAA, individually identifiable health information collected or created in a covered entity is considered “protected health information” (PHI)
Health Care Provider Health Plan Health Care Clearinghouse
This includes providers such as.. Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
This includes… Health insurance companies HMOs Company health plans Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Protected Health information. Any information that can be used to identify a patient (whether living or deceased) and which relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and the payment for those services.
Patient name Telephone number Social Security number Fax number Vehicle identification number address Web URL’s Dates Names of relatives Full face photograph or images Health care record number Account number Biometric identifier Device identifier Health plan beneficiary number Certificate or license number Any other unique number, code, or characteristic that can be linked to an individual.
To define and limit the circumstances in which an individual’s PHI may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: as the Privacy Rule permits or requires. as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
An employee may only access or disclose a patient’s PHI when this access is part of the employee’s job duties.
It is never acceptable for an employer to look at PHI “just out of curiosity” even if no harm is intended. All information is entitled to the same protection whether it may be from a close friend or family and must be kept private.
Covered entity may use/disclose PHI to carry out essential health care functions. Treatment Payment Health care operations Disclosures for other purposes usually require a specific, written authorization from the individual of the information.
Treatment means the provision, coordination, or management of health care by one or more health care providers, including: Consultation between health care providers; or Patient referrals
Payment means activities of: Health care providers to obtain payment or be reimbursed for their services. Health plans to obtain premiums, fulfill coverage responsibilities, or provide reimbursement for the provision of health care.
Health care operations are administrative, financial, legal and quality improvement activities Necessary to run business and to support core functions of treatment and payment Quality assessment and improvement activities Training, accreditation, certification, credentialing, licensing, reviewing competence, evaluating performance Fraud and abuse detection
Only members of the workforce who need protected health information may have access to it. You should only have access to the “minimum necessary” amount of PHI to do their job.
You can disclose PHI to a person authorized to have the PHI. You may need to verify that the individual really is who they claim to be.
A breach occurs when information that by law must be protected is: Lost, stolen, or improperly disposed of (i.e. paper or device upon which the information is recorded cannot be accounted for Hacked into by people or mechanized programs that are not authorized to have access Communicated or sent to others who have no official need to receive it (for example, gossip from information learned of a medical record)
Do not share PHI of your client with anybody who does not need to know, such as your family and friends. Do not save PHI of your client to your laptop, flash drive or other electronic media unless you are required to do so. Do not leave PHI out for everyone to see. Do not leave PHI in a voic message. Do not put PHI in a trash or recycle bin, but make sure it is shredded.
HIPAA is a Federal Law. HIPAA mistakes can have the same types of consequences as any mistakes you may make at work. Purposely disclosing PHI to unauthorized individuals is a criminal offense.
Spot the HIPAA violation (8min) KU The Omnibus Rule (3min) QL9PoePU HIPAA Training for Caregivers (23min) fk