Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy & Security Overview

Published byLindsay Whitehead Modified over 5 years ago

Similar presentations

Presentation on theme: "HIPAA Privacy & Security Overview"— Presentation transcript:

1 HIPAA Privacy & Security Overview
2nd page

2 Workforce Security Training
Anyone who has access to ePHI New employees or contractors: As part of organizational training Changes to physical/technical infrastructure or Privacy/Security policies INTRODUCTION FOR PRESENTER: This presentation is appropriate: For anyone in your organization who has access to protected health information (including electronic PHI) as part of their job. For new employees or contractors as part of organizational training, or When there are changes to your organization’s physical or technical infrastructure or privacy policies. Please note: this presentation is a general overview of the HIPAA Privacy and Security Rules. We have bolded content where we recommend adding your own internal policies and procedures important for your staff and personnel to understand.

3 We focus ONLY on this portion of HIPAA.
Overview of HIPAA Title V Revenue Offsets Title IV Group Health Plan Requirements Title III Tax Related Health Provisions Title II Preventing Health Care Fraud and Abuse Title I Health Care Access, Portability, and Renewability Subtitle F – Administrative Simplification We focus ONLY on this portion of HIPAA. Employer Identifier Electronic Transactions Code Sets Privacy Information Security Unique Identifiers To start off, what is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act. While there are five different sections of HIPAA, the portion of the Act we are addressing today is Title II, which deals with the accountability portion of HIPAA. Specifically, we are addressing subtitle F “Administrative Simplification.” The underlying rational for HIPAA is to standardize electronic transactions and code sets. These are the first two boxes on the bottom of our chart. Prior to HIPAA there were over 400 different standards for these transactions; HIPAA simplified that number to 8. With the standardization of transactions and code sets, there was concern about the Privacy and Security of protected health information, or PHI. The Privacy regulation was passed to protect the rights of consumers, restore trust in the healthcare system and reduce fraud in Medicare. Prior to Privacy, for example, your doctor could sell your health information to a marketing or drug company and you couldn’t prevent it. The Security regulation was passed to address the safeguarding of PHI in electronic format.

4 Who does HIPAA Impact? HIPAA applies to all “Covered Entities” including: Health Care Providers Health Plans Health plans offered by insurance companies Employer-sponsored health plans (e.g., medical, dental, prescription, vision, health FSAs, EAPs, wellness, HRAs) Health Care Clearinghouses Business Associates: Firms working with covered entities (e.g., billing services, transcription services, TPAs, brokers) Who does HIPAA impact? HIPAA applies to “Covered Entities.” There are different types of covered entities, and Health Care Providers are the group that is most impacted by HIPAA because it affects their day-to-day operations. Health Care Providers include hospitals, physician practices, nursing homes, chiropractors, dentists, and so forth. Health plans are the second group of covered entities. Health plans include insurance companies who provide health insurance to individuals, groups, and employer sponsored plans. If an employer provides a health insurance benefit to its employees and has access to PHI as part of that process, they are covered under the regulation. HIPAA affects almost every business in the United States. Health Care Clearinghouses are the smallest group. These are organizations (known as clearinghouses) that process claims for physician practices by converting claims from one form to another, generally from paper records to electronic records. Last, Business Associates are not defined as “covered entities” but they do provide services to the covered entity, such as billing or transcription services; because of this, are impacted by HIPAA.

5 Protected Health Information (PHI) Individually Identifiable Health Information
Protected Health Information (PHI): information relating to the past, present or future physical or mental health of an individual (employee) whether an active or terminated employee Individually Identifiable PHI: information that identifies an individual may include: Name Telephone numbers Group Health Plan beneficiary number Address address Or any other unique identifying number, characteristic or code. Date of birth Account numbers Social Security number Before we dive into the Privacy Rule, it’s important to understand what, exactly, protected health information “IS” Protected Health Information or (PHI) is information (data points) relating to the past, present, or future physical or mental health of an individual (employee) whether they are an active or terminated employee. So, let’s say you have a prescription that says 10 milligrams of Prozac. Is this considered PHI? It is if you can tie that prescription to an individual. So, if you have a name, date of birth, employee ID, health plan ID or some other identifier, the PHI becomes INDIVIDUALLY IDENTIFIABLE and therefore covered under HIPAA.

6 Privacy Rule Applies to paper/oral/electronic records
Sets boundaries on the use & disclosure of health information Gives individuals more control over their own health information Establishes safeguards for protecting the privacy of health information Holds covered entities accountable for violations of privacy requirements Let’s now discuss in more detail HIPAA’s Privacy Rule. The Privacy Rule applies to PHI in any format whether its on-paper, oral or in electronic format. The Privacy Rule sets boundaries on the use and disclosure of PHI. The Privacy Rule gives individuals more control over their health information. The Privacy Rule protects the individual’s right to access their information and amend this information if it is incorrect. Individuals also have the right to receive an accounting of who else has seen this information and where its use or disclosure was not part of typical treatment, payment or operations of the administration of PHI. The Privacy Rule establishes safeguards for protecting the privacy of health information. The rule uses the term “reasonable safeguards.” The Security regulation goes into much greater detail about how to determine what these reasonable safeguards are, and we will discuss that shortly. Last, the Privacy rule holds covered entities accountable for violations of the privacy requirements.

7 Privacy Rule Some requirements that a covered entity must comply with include, but are not limited to: Designating a Privacy Official Designating a contact for handling complaints Developing policies & procedures on the use and disclosure of individually identifiable health information Providing training to all workforce members on the policies and procedures that affect their job duties Providing a Notice of Privacy Practices to individuals Along with safeguards for PHI, the Privacy Rule has additional requirement with which the covered entity must comply. These include, but are not limited to: Designating a Privacy Official that is responsible for bringing the covered entity into compliance with the Privacy Rule and Covered Entity’s ongoing Privacy Practices. (Ensure your staff know who your Privacy Official is and how to contact them) Designating a contact for handling complaints. (Ensure your staff know who your Complaints Contact is and how to contact them) Developing policies and procedures on the use and disclosure of individually identifiable health information. Providing training to all workforce members on the policies and procedures that affect their job duties. Providing a Notice of Privacy Practices to individuals.

8 How May a Covered Entity Use Protected Health Information?
They share this information with other healthcare providers. They are permitted to use and/or disclose information for treatment, payment or health care operations without getting permission from an individual. To use information for any other reason or to disclose it to any one other than the patient or Covered Entity may require a signed and verified authorization. How might a covered entity use protected health information? A covered entity is permitted to use and/or disclose information for treatment, payment or health care operations without securing patient permission. The patient should have received notification of permitted uses and disclosures in a Notice of Privacy Practices document provided by their Covered Entity. To use information for any other reason or to disclose it to someone other than the patient or clinician may require a signed and verified authorization. (Take a moment here to review your organization’s Disclosure Policy and Notice of Privacy Practices document(s))

9 Authorizations What is an authorization? When is it used?
Used to permit PHI disclosures When is it used? Disclosure to spouse/family member Marketing purposes Research Fund raising An authorization is used to allow a covered entity to disclose PHI for reasons other than those we have already discussed. Valid authorizations must be limited in scope, valid for only a limited time and may be revoked by the participant. Examples include disclosure to a spouse or other family member who is not a personal representative, for marketing purposes, research, or fund raising. (Review your organization’s authorization policy and form, as applicable)

10 Other Aspects of HIPAA Administration
An Individual has the right to: Access their PHI Receive an accounting and to amend their PHI File a complaint Request confidential communications Restrict access to their PHI As previously mentioned, patients/employees should receive a Notice of Privacy Practices from their Covered Entity. This notice should address rights of the individual as given in HIPAA: These include the following: The right to access the PHI that the Covered Entity may have created, maintained or received. The right to receive an accounting of who has seen their PHI through non-routine disclosures by the Covered Entity, their insurance carriers, or third parties. These entities must account for disclosures that are not specified in the Privacy Notice. The right to amend this information if they believe it to be incorrect. The right to file a complaint about the use or disclosure of their PHI. The right to request confidential communications. If they want to discuss PHI with the covered entity, they can do this in a confidential manner. The right to restrict access to their PHI. For example, a patient may request that you not disclose the PHI to a third party because their former spouse works there.

11 Confidentiality All Covered Entity employees that have access to PHI agree that at no time, during or after their employment with Covered Entity, will they use, access, or disclose PHI to anyone except as required or permitted in the course and scope of their duties. Unauthorized use/disclosure may result in disciplinary action up to and including termination. Civil or criminal penalties may also apply. If you have access to protected health information you should have signed an agreement that at no time, during or after your employment with the Covered Entity, will you use, access or disclose protected health information to anyone except as required or permitted in the course and scope of your duties. If you have not signed this agreement, please contact your privacy official as soon as possible. Your employer will determine the consequences for improper PHI disclosure; however, these consequences often involve disciplinary action or termination. Civil or criminal penalties may also apply. There have been criminal convictions under HIPAA resulting in prison sentences and fines for employees who improperly used and disclosed PHI with intent to sell. (Review and have trainee(s) sign Nondisclosure Agreement)

12 What is Electronic PHI? Individually identifiable health information:
Examples of ePHI include but are not limited to: Transmitted by electronic media Claims information Medical records Maintained in electronic media Billing information Lab results Transmitted or maintained in any other form or medium Protection for ePHI is outlined in the HIPAA Security Rule. ePHI is the electronic information your organization creates, maintains, sends, or receives. The Security Rule: incorporates an exquisitely detailed procedure that must be followed by Covered Entities and their business associates as they assess risks to ePHI and implement measures to mitigate identified risks. applies only to ePHI whereas the Privacy Rule applies to all PHI. addresses issues of confidentiality, data integrity and availability. is much narrower than the Privacy Rule in scope but deeper regarding details of its implementation. Examples of ePHI include but are not limited to: Claim information Medical records Billing information Lab results (Include any other forms of ePHI your company may create, maintain, send, or receive)

13 What must you Protect? Covered Entities must ensure: Confidentiality
ePHI is protected from use by or disclosure to unauthorized individuals, entities, or processes. Integrity Data being stored or transmitted is valid; protects against risks like unauthorized modification, insertion, and deletion. Availability Data is accessible & useable upon demand by an authorized entity. If the employer handles ePHI on behalf of its plan, the plan must include provisions requiring the employer to implement reasonable and appropriate safeguards. We will look at these in detail on the following slide. Before we can implement safeguards, we need to protect something, and that something is ePHI. Specifically, covered entities must also ensure the confidentiality, integrity and availability of ePHI. How are these terms defined? Confidentiality means that ePHI is protected from use by or disclosure to unauthorized individuals, entities or processes. Integrity means that the data being stored or transmitted is valid. It protects against risks such as the unauthorized modification, insertion and deletion of data. Availability means that information must be accessible and useable upon demand by an authorized entity.

14 What are Safeguards? Administrative Physical Technical
Protected from use by or disclosure to unauthorized individuals, entities or processes Physical Physical measures, policies, procedures to protect hardware, equipment, etc. from natural & environmental hazards and unauthorized intrusion Technical Technology and policy & procedures for its use that protect ePHI and control access to it How do you help to ensure the confidentiality, integrity and availability of ePHI? As part of compliance with HIPAA’s Security Rule, a Covered Entity must create and employ reasonable and appropriate safeguards to protect an individual’s PHI. Administrative safeguards are administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage workforce conduct in relation to the protection of that information. Examples include: appointing a security officer; procedures for handling security incidents; data back-up, Virus protection, log-in monitoring and password management. Physical safeguards are physical measures, policies, and procedures to protect electronic information systems (the hardware) and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Examples are: contingency operation plans, protection from unauthorized physical access, workstation use, device and media controls. Technical safeguards are the technology and the policy and procedures for its use that protect ePHI and control access to it. Examples include assigning unique user ids for individuals accessing ePHI; automatic log-offs, encryption and decryption of data and s, procedures to verify a person seeking access to ePHI is who he or she claims to be.

15 Safeguard Examples Workforce security (Administrative & Technical)
Facility (Physical) Access authorization & control Background checks Accountability, hardware, software inventories, media control, etc. Confidentiality agreements Termination Workstations (Physical & Administrative) Information access (Technical) Acceptable & unacceptable uses of computer technology Access authorization (keycard) Device & Media Controls (Technical & Physical) Access controls (Technical) Unique user logins Disposal Automatic logoff Reuse Encryption Data backups This slide lists several additional examples of the three types of security safeguards that may be put into place to ensure ePHI is safeguarded. As you can see, various areas of operation may include multiple types of safeguards. Workforce: Background checks Authorization and supervision – confidentiality agreements Termination process Information access: Access authorization (i.e.: access to PHI on a shared printer) Regular software updates Encryption Device & Media: Disposal Reuse Data backups Facility: Access authorization and control Accountability, hardware and software inventories, media control, etc. Workstation: Acceptable and unacceptable uses of computer technology Desktop maintenance (not leaving PHI out in the open) Access controls: Unique user ID Automatic logoff procedures Encryption

16 Safeguards Covered Entities must utilize safeguards to protect PHI and take the following actions: Restrict access to only those who need physical and/or technical access to PHI and ePHI. Records that contain PHI should be maintained in a secured location. Records that contain PHI should be shredded before discarding. Passwords should not be shared with anyone. A Covered Entity’s safeguards are the first line of defense in protecting ePHI. Covered Entities must employ safeguards to protect ePHI; remember to take the following actions: Physical access (such as file servers or Data Centers) and technical access (such as user ID or password) should be limited to those with a need to know, a legal right to know, or as mandated by state or federal law. (Review specific job roles that have access to ePHI within your organization.) Records that contain protected health information should be maintained in a secure location. Secure this information except when you are using it for a specific purpose. (Review where PHI is housed in your office and how it is secured). Records that contain protected health information should be shredded before discarding the information once record retention minimums have been met. The typical retention period for PHI is 6 years. Passwords should not be shared with anyone. Electronic protected health information must also be safeguarded. (Review specific password policies, as applicable). Ensure the data is kept confidential, its integrity is maintained, it is not inappropriately changed or corrupted, and can be recovered if lost, stolen or destroyed. HIPAA Security Rule Safeguards are all about protecting the confidentiality, integrity and availability of the ePHI the organization creates, receives, maintains or transmits.

17 Contingency Plans Are required in writing Should include:
Should address: Where you come in contact with PHI Who may need to access PHI What systems will require protection How and when to deal with ePHI threats Should include: Data backups A disaster recovery plan An emergency operation plan May have: Critical applications and data Testing and revisions A common element in all three safeguards is the existence of policies and procedures. Covered Entities must document a plan, including policies and procedures that specifically address concerns raised by the Security Rule and then review it periodically. Covered entities must also implement contingency plans to recover ePHI from a loss due to breach or disaster. Plans should be kept not only in an electronic format but must be in a written format as well. Contingency plans should address: Where you come in contact with PHI Who may need to access PHI What systems will require protection How and when to deal with ePHI threats Plans should include, but are not limited to: Regularly scheduled data backups A disaster recovery plan; and An emergency Operation plan Last, plans may have: Critical application and corresponding data Disaster recovery testing and make revisions when necessary.

18 All violations of an identical provision in a calendar year
Why Comply? HIPAA Violations Penalties Civil Penalties Each Violation All violations of an identical provision in a calendar year Due to an unknowing violation $100 - $50,000 $1,500,000 Due to reasonable cause but not willful neglect $1,000 - $50,000 Due to willful neglect that is timely corrected $10,000 - $50,000 Due to willful neglect not timely corrected $50,000 Criminal Penalties Fines Imprisonment Clearly applicable to individual employees (not just the entity) – for “knowing misuse” $50,000 - $250,000 1-10 years It’s important to comply with the HIPAA Privacy and Security rule because noncompliance could result in civil and criminal penalties. Civil penalties range from $100 per violation up to $1.5M per person for all identical violations in a calendar year. Additionally, if you knowingly obtain or disclose PHI fines may add up to $50,000 Last, if you knowingly obtain or disclose PHI under false pretenses or if you obtain or disclose PHI with intent to sell, transfer or use the info for commercial advantage, personal gain or malicious harm fines may be as large as $250,000. And don’t forget the possibility that criminal penalties may also be imposed if a violation met key elements such as intent to sell and deceive.

19 Contact your HR team for more information on your organization’s policies and procedures.
2nd page

Download ppt "HIPAA Privacy & Security Overview"

Similar presentations

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

Similar presentations

Ads by Google