1

Need For HIPAA  In 2000, many patients who were newly diagnosed with depression received free samples of anti-depressant medications in their mail. This left patients wondering how the pharmaceutical companies were notified of their disease. After a long and thorough investigation, the Physician, the Pharmaceutical company and a well-known pharmacy chain were all indicted on breach of confidentiality charges.  This is one of the many reasons the Federal Government needed to step in and create guidelines to protect patient privacy. HIPAA is Health Insurance Portability And Accountability Act 2

3 HIPAA  Establishes a Federal floor of safeguards to protect the confidentiality of medical information.  Allows patients to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.  Purpose: To protect Protected Health Information [PHI]  Effective from April 14,  It is the Standard for security of data systems.  It is privacy protection for individual health information.

4 What Is PHI…?  The health information which identifies the individual  Includes information about past, present and future health, mental health of an individual  Stored, used or disclosed information by covered entities or business associates.  This includes electronic data, paper documents, oral or written conversations, films and microfiche.

5 Patient Identifier Names Address (street, city, county or zip code) Telephone numbers Fax numbers Social Security numbers All elements of dates (except for years) address Health plan beneficiary numbers Medical record numbers Account numbers Health plan beneficiary numbers Medical record numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Device identifiers and serial numbers URLs IP address numbers Biometric Identifiers Full face photographs Any other unique identifying number or characteristic

6

Covered Entities Defined in the HIPAA rules as (1) health plans (2) Health care clearinghouses and (3) Health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons

8 a.Notify patients about their privacy rights and how their information can be used. b.Adopt and implement privacy procedures. c.Train employees so they understand the privacy procedures. d.Designate a Privacy Officer. e.Secure patient records containing Protected Health Information [PHI]. f. Covered entity provide custom made health care notice for individuals privacy rights and disclosure of protected health information-Notice of Privacy Practice. It covers the patient’s rights, disclosure rules and regulations. Entity And Compliance With HIPAA

9 Business Associates A person or entity that performs a function or activity on behalf of a Covered Entity [CE] that requires the creation, use or disclosure of Protected Health Information [PHI] but who is not considered part of the Covered Entities' workforce. They must have a written contract or agreement that assures they will appropriately safeguard Protected Health Information [PHI] they create or receive.

10 Business Associates Examples of Business Associates A third party administrator who assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involve access to protected health information. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. An independent medical transcriptionist who provides transcription services to a physician. A pharmacy benefits manager who manages a health plan’s pharmacist network

11 Administrative Safeguards 1. Security Management Process: Conduct risk analysis on periodic basis, making sure all the policies and procedures are followed, sanction policy is required, information system activity review is necessary for firewall and network and for technical infrastructure safeguarding 2. Assigned security responsibilities: Appoint HIPAA security officer. 3. Workforce security: Includes authorization and supervision, workforce clearance procedures – only required access and termination procedures. 4. Information access management: by monitoring the logins and password management.

12 Administrative Safeguards 5. Security awareness training: both covered entities and business associates should train the work forces, security reminders to be sent out. 6. Security Incidence procedures: Have in place security incidence procedures. 7. Contingency plan evaluation: Need data backup, data recovery plan, this includes man, machine and technology. Also includes emergency mode operation plan for business continuity, disaster management, for this check for assets, facilities and data priority. 8. Business associate contract: It is a contract between covered entity and business associate based on 45CFR for use and disclosure rules of the protected health information.

13 Physical Safeguards 1. Facility access controls : Contingency plan, validation procedure, all the doors of the organization except the front door should be locked, front door should lead to reception area where every person is scanned. 2. Workstation uses: this safeguards requires policies and procedure to protect ePHI on workstation level; ensuring that they are use appropriately. 3. Workstation security: Make sure the work station does not walk off, eg use of laptops 4. Device and Media Control: Any media storing PHI at the end of life should be disposed off properly using shredding machine, formatting, for reusable media- formatting, accountability of media and hardware.

14 Technical Safeguards 1. Access and audit control: user should have unique user ID, emergency access, automatic log off and password protected screensavers, need encryption and decryption, need to generate audit log, random audits a required for audit log. 2. Transmission security: It prevents users from accessing or changing PHI while in transit. Use encryption. 3. Integrity: Making sure that the data is correct and accurate. 4. Person or entity authentication: If 3 rd party requires to access the systems for PHI, they should be authenticated first.

15 Thank You Contact Us:- ITCube BPO Solution, - Phone- +1 (614) Reed Hartman Highway, Suite # 134, Cincinnati, Ohio , USA