Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information Electronic Health Records for Allied Health Careers Cover goes here when ready

6-2 Learning Outcomes After studying this chapter, you should be able to: 1.Describe the purpose of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). 2.Discuss how the HIPAA Privacy Rule protects patient health information. 3.Describe when protected health information can be released without patients’ authorization. 4.List three categories of threats to the security of electronic information. 5.Describe the safeguards outlined in the HIPAA Security Rule.

6-3 Learning Outcomes After studying this chapter, you should be able to: 6.Discuss the ways that increased use of information technology places protected health information at greater risks. 7.Explain why the existing HIPAA laws may not be adequate in today’s health care environment. 8.Explain why public trust is key to the development of electronic health records and a nationwide health information network.

6-4 Key Terms administrative safeguards Administrative Simplification antivirus software audit trails authentication authorization availability business associates clearinghouses confidentiality covered entities (CEs) de-identified health information designated record set (DRS) disclosure electronic protected health information (ePHI) encryption firewall

6-5 Key Terms health information exchange health plan HIPAA Privacy Rule HIPAA Security Rule integrity intrusion detection system (IDS) minimum necessary standard Notice of Privacy Practices (NPP) passwords physical safeguards protected health information (PHI) providers role-based authorization technical safeguards treatment, payment, and operations (TPO)

6-6 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA is the most significant legislation affecting health care since Medicare and Medicaid in Title I of HIPAA = Health Insurance Reform Title II of HIPAA = Administrative Simplification Standards

6-7 The Privacy Rule Covered entities –Health plans –Providers –Clearinghouses

6-8 The privacy Rule Business Associates –not covered entities, but use PHI for business purposes –covered entities must have contracts with Business Associates stating that they will abide by HIPAA Privacy Rule

6-9 The Privacy Rule Protected Health Information –Individually identifiable health information –Privacy Rule applies to PHI in any form whether it is communicated and/or maintained verbally, on paper, or electronically.

6-10 The Privacy Rule Minimum Necessary Standard –Limiting information to minimum PHI necessary for intended purpose. Designated Record Set (DRS) –A group of records that contains PHI; contents depend on the role of the organization or provider.

6-11 The Privacy Rule Disclosure of Personal Health Information (PHI) Release of Information for Purposes Other Than TPO –An authorization (special permission) must be obtained from the patient for uses and disclosures other than for TPO. –Disclosures must be documented and provided to the patient if requested. –Use and disclosure rules do not apply to de-identified health information which is information that neither identifies nor provides a reasonable basis for identification of an individual.

6-12 The Privacy Rule Notice of Privacy Practices (NPP) Rights of Individuals HIPAA Enforcement

6-13 Threats to the Security of Electronic Health Information The Actions of Individuals Environmental Hazards Computer Hardware, Software, or Network Problems

6-14 The Security Rule Protects the confidentiality, integrity, and availability of electronic protected health information (ePHI) of covered entities

6-15 The Security Rule Administrative Safeguards –Policies and procedures to protect ePHI. Physical Safeguards –Mechanisms to physically protect electronic systems, equipment, and data. Technical Safeguards –Automated processes that protect and control access to ePHI.

6-16 Privacy and Security Risks of Electronic Health Information Exchange Clinical Data Available in Electronic Form Portable Computers and Storage Devices Problems Not Adequately Addressed by Existing Privacy Laws –Private Sector Electronic Networks –Personal Health Records (PHRs) –Overseas Business Associates –Multistate Exchange of Data with Different Laws

6-17 The Importance of Public Trust If people don’t trust that their personal information will be kept confidential, they won’t disclose it; this can lead to a lack of appropriate care.

6-18 The Importance of Public Trust Public Attitudes Toward the Electronic Use of Health Information –Most people believe that the confidentiality of their medical records is very important –The majority of people express concern about the privacy of their information. –Regional or nationwide health information networks will have to be proven to be safe to gain the public’s trust.