1. Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information Electronic Health Records for Allied Health Careers Cover goes here when ready

2. 6-2 Learning Outcomes After studying this chapter, you should be able to: 1.Describe the purpose of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). 2.Discuss how the HIPAA Privacy Rule protects patient health information. 3.Describe when protected health information can be released without patients’ authorization. 4.List three categories of threats to the security of electronic information. 5.Describe the safeguards outlined in the HIPAA Security Rule.

3. 6-3 Learning Outcomes After studying this chapter, you should be able to: 6.Discuss the ways that increased use of information technology places protected health information at greater risks. 7.Explain why the existing HIPAA laws may not be adequate in today’s health care environment. 8.Explain why public trust is key to the development of electronic health records and a nationwide health information network.

4. 6-4 Key Terms administrative safeguards Administrative Simplification antivirus software audit trails authentication authorization availability business associates clearinghouses confidentiality covered entities (CEs) de-identified health information designated record set (DRS) disclosure electronic protected health information (ePHI) encryption firewall

5. 6-5 Key Terms health information exchange health plan HIPAA Privacy Rule HIPAA Security Rule integrity intrusion detection system (IDS) minimum necessary standard Notice of Privacy Practices (NPP) passwords physical safeguards protected health information (PHI) providers role-based authorization technical safeguards treatment, payment, and operations (TPO)

6. 6-6 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA is the most significant legislation affecting health care since Medicare and Medicaid in 1965. Title I of HIPAA = Health Insurance Reform Title II of HIPAA = Administrative Simplification Standards

7. 6-7 HIPAA Title I of HIPAA = Health Insurance Reform – This is the section of the law hat allows individuals to continue health insurance coverage when they change jobs.

8. 6-8 HIPAA Title II of HIPAA = Administrative Simplification Standards – mandated formats for transfer of electronic health care data, also provided patients with rights with regard to their health records and required private and security mechanisms in place to ensure that their personal health information was kept confidential. Some of the provisions (found on page 176 of your text) National Standards for electronic healthcare transactions National identifiers for providers, health plans and employers Rules to protect the privacy and security of health information, known as the Privacy Rule and the Security Rule. www.cms.hhs.gov/hipaageninfo

9. 6-9 HIPAA Videos http://www.youtube.com/watch?v=Zgo1rMSCzv8 http://www.youtube.com/watch?v=6wRDorQ73Ng http://www.youtube.com/watch?v=fTjZ7GokQw4

10. 6-10 The Privacy Rule Covered entities –Health plans – Insurance plan that provides or pays for medical care includes government and private plans. –Providers – people or organizations that furnish, bill, or are paid for health care in the normal course of business. –Clearinghouses – Companies that process health information and execute electronic transactions.

11. 6-11 The privacy Rule Business Associates –not covered entities, but use PHI for business purposes, such as a physician uses legal services, transcription services, and collection services. –covered entities must have contracts with Business Associates stating that they will abide by HIPAA Privacy Rule

12. 6-12 The Privacy Rule Protected Health Information – Covered entities must follow HIPAA regulations for the protection of health information. However, not all of the patient’s information is subject to the law. (page 179 of your text) –PHI is defined as Individually identifiable health information – Table 6-1 on page 179 lists the information the meets the PHI. –Privacy Rule applies to PHI in any form whether it is communicated and/or maintained verbally, on paper, or electronically.

13. 6-13 The Privacy Rule Minimum Necessary Standard – When using or disclosing protected health information a covered entity must try to limit the information to the minimum amount of PHI necessary for the intended purposes: –Using reasonable safeguards to protect PHI from being accidentally released. Designated Record Set (DRS) –A group of records that contains PHI; contents depend on the role of the organization or provider.

14. 6-14 The Privacy Rule Disclosure of Personal Health Information (PHI) Release of Information for Purposes Other Than TPO – Under the HIPAA privacy standards, covered entities may use and disclose PHI for treatment, payment and operations (TPO) page 180 in your text. –An authorization (special permission) must be obtained from the patient for uses and disclosures other than for TPO. –Disclosures must be documented and provided to the patient if requested. –Use and disclosure rules do not apply to de-identified health information which is information that neither identifies nor provides a reasonable basis for identification of an individual. Please see page 183 for a list of de-identification

15. 6-15 The Privacy Rule Notice of Privacy Practices (NPP) covered entities must list their privacy policies and procedures in a Notice of Privacy Practices (NPP) Rights of Individuals – The HIPAA Privacy Rule also provides significant rights to patients. Page 184 of our text. HIPAA Enforcement – The Office for Civil Rights (OCR) in the U. S. Department of Health and Human Services is charged with investigating complaints.

16. 6-16 Threats to the Security of Electronic Health Information The Actions of Individuals poses a significant threat to the security of data stored on computers. Page 187 of our text. Environmental Hazards – fires, floods and earthquakes, utility failures such as electrical power outages. For example Hurricane Katrina Computer Hardware, Software, or Network Problems – insufficient security, programming errors, changes including upgrades and addition of new users.

17. 6-17 The Security Rule Protects the confidentiality, integrity, and availability of electronic protected health information (ePHI) of covered entities – In 2005 the HIPAA security rules was enacted. It only covers electronic protected health information, protected health information that is created, received, maintained or transmitted in electronic form. Covers physical devices such as computers, USB flash drives, CDS and magnetic tapes, computer networks and information sent or received over the internet.

18. 6-18 The Security Rule Administrative Safeguards –Policies and procedures to protect ePHI. Physical Safeguards –Mechanisms to physically protect electronic systems, equipment, and data. Technical Safeguards –Automated processes that protect and control access to ePHI.

19. 6-19 Privacy and Security Risks of Electronic Health Information Exchange Electronic health information remains at risk. A study by eHealth Vulnerability Reporting program (eHVRP) found serious security flaws, gain access to a program and view personal health data. http://www.net-security.org/secworld.php?id=5466 http://www.net-security.org/secworld.php?id=5466 Clinical Data Available in Electronic Form – Health data being maintained on computers. Portable Computers and Storage Devices – laptops, PDAs, tablets Problems Not Adequately Addressed by Existing Privacy Laws –Private Sector Electronic Networks –Personal Health Records (PHRs) –Overseas Business Associates –Multistate Exchange of Data with Different Laws

20. 6-20 The Importance of Public Trust If people don’t trust that their personal information will be kept confidential, they won’t disclose it; this can lead to a lack of appropriate care.

21. 6-21 The Importance of Public Trust Public Attitudes Toward the Electronic Use of Health Information –Most people believe that the confidentiality of their medical records is very important –The majority of people express concern about the privacy of their information. –Regional or nationwide health information networks will have to be proven to be safe to gain the public’s trust.