Protecting Client Data HIPAA, HITECH and PIPA Part 1A 2014 DHS IT Security & Privacy Training
Module #1A Will Cover…. What is HIPAA? HIPAA & Privacy Security Rule Who does HIPAA apply to? HIPAA Terms Release of Information/Identity Verification Documenting Disclosure 2014 DHS IT Security & Privacy Training
Topics Continued…. Safeguarding Protective Health Information(PHI) and Personally Identifying Information (PII) Breach Notification Enforcement under HITECH Act Arkansas Personal Information Protection Act State Law Act 1526 2014 DHS IT Security & Privacy Training
What is HIPAA? HIPAA is a federal law named the Health Insurance Portability and Accountability Act. Its purpose is to provide a national standard for the protection of health information. State or other Federal laws may provide greater protections than HIPAA. 2014 DHS IT Security & Privacy Training
What is HIPAA Continued…. HIPAA applies to both: Privacy of confidential information Security of confidential information Privacy and Security of confidential information must work together. If you do not use one, the other will not work. 2014 DHS IT Security & Privacy Training
HIPAA and the Privacy Rule Protects individual health care data Defines how PHI may be used or disclosed Gives clients privacy rights and the right to access their health information Outlines ways to safeguard PHI Works with PIPA or Act 1526 The HIPAA Security Rule works with the Privacy Rule protecting electronic forms of PHI 2014 DHS IT Security & Privacy Training
Who Does HIPAA Apply to? DHS is a hybrid entity – meaning it has both covered and non-covered functions under HIPAA. Health Plans (DMS/Medicaid) Providers (DAAS, DBHS, DDS, DYS) health care providers who conduct one or more of the HIPAA-defined transactions electronically Business Associates: contractors who work for the divisions listed above. 2014 DHS IT Security & Privacy Training
Important HIPAA Terms Protected health information (PHI) is information which identifies an individual or offers a reasonable basis for identification and is created or received by a health plan or health care provider. It relates to past, present, or future physical or mental health, the provision of health care, or payment for health care. 2014 DHS IT Security & Privacy Training
HIPAA Terms Continued….. Use: When you review or use PHI within your division -- for example: for internal audits, training, customer service, quality improvement; Disclosure: When you release or provide PHI to someone outside your division -- for example: giving data to OCC or to an outside attorney or to another provider. 2014 DHS IT Security & Privacy Training
HIPAA Terms Continued…. Minimum Necessary: To use or disclose only the minimum necessary to accomplish the intended purposes of the use, disclosure or request. Employees must be given only the access to PHI needed to do their jobs; Outside organizations must only be given the PHI needed to accomplish the purpose for which the request was made; the exception is treatment requests. 2014 DHS IT Security & Privacy Training
Example Sally works in a DHS county office and sees one of her fellow caseworker’s file on the desk. She notices the name on the folder is her soon-to-be ex-husband’s girlfriend. Sally looks in the file and sees that she has applied for Medicaid and ARKids First. Sally is going through a bitter divorce along with a custody battle and thinks any information that she can give to her attorney will help her case. Sally makes copies of the file and takes it home with her and plans to show it to her attorney. Would this be a Permissible Use or Disclosure? 2014 DHS IT Security & Privacy Training
No – this is an impermissible disclosure under HIPAA. If you do not need PHI to do your job, then you should not access it. This is a HIPAA violation and may result in discipline and even termination. Never let anyone talk you into accessing information on a family member, friend, cousin, etc. If you are aware of someone who is accessing DHS data outside of the scope of their job, report it immediately. https://dhs.arkansas.gov/reporting 2014 DHS IT Security & Privacy Training
Where is PHI Found? PHI can in be found in: Client Folders Medical Records Invoices E-mails Letters 2014 DHS IT Security & Privacy Training
You May Be Asked To Disclose Information Containing PHI…. Often, PHI must be redacted or blacked out so that it is not visible before disclosing it. How do you know what to redact? On the next two slides we will go over what is considered the PHI Identifiers. These elements need to be redacted before disclosing PHI. 2014 DHS IT Security & Privacy Training
PHI Identifiers Names Medical Record Numbers Social Security Numbers Account Numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate numbers Internet protocol addresses Health plan numbers 2014 DHS IT Security & Privacy Training
PHI Identifiers Continued… Full-face photographic images and any comparable images Any dates related to any individual (date of birth, telephone numbers) Fax numbers Email addresses Biometric identifiers including finger and voice prints Any other unique identifying number, characteristic or code that could reasonably be used to identify the owner of the PHI. 2014 DHS IT Security & Privacy Training
What is De-Identified Data? Under HIPAA's "safe harbor" standard, information is considered de-identified if all of the PHI Identifiers in the previous two slides have been removed, and there is no reasonable basis to believe that the remaining information could be used to identify a person. 2014 DHS IT Security & Privacy Training