Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy, Confidentiality, Security, and HIPAA

Published byBjørn Nils Erlandsen Modified over 4 years ago

Similar presentations

Presentation on theme: "Privacy, Confidentiality, Security, and HIPAA"— Presentation transcript:

1 Privacy, Confidentiality, Security, and HIPAA
NURS 737: Concepts in Nursing Informatics Module 2, Subtopic 3 Privacy, Confidentiality, Security, and HIPAA This document is intended solely for the use of N737. Not for distribution

2 Privacy, Confidentiality, and Security
“Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.” Example: Persons may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center clearly identified by signs on the front of the building “Confidentiality pertains to the treatment of information/data that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure.” ( Security - measures taken to guard against espionage or sabotage, crime, attack, or escape 2

3 The Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA law has evolved over time. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. The AS provisions also address the Security and Privacy of health data. ( 3

4 How HIPAA Affects Whom HIPAA is NOT JUST about Privacy of patient data! IT also includes: Employer Identifier gives a unique code to your employer for Medicare/Medicaid/FICA purposes Privacy and Confidentiality Standards and Security Standards affect the entire healthcare continuum Transactions and Code Sets Standards require specific coding criteria for all electronic transactions with CMS 4

5 The Health Insurance Portability and Accountability Act (HIPAA)
Under the Affordable Care Act of 2010, provisions to HIPAA of 1996 further increase use of electronic data interchange and include requirements to adopt: operating rules for each of the HIPAA covered transactions a unique, standard Health Plan Identifier (HPID) standard and operating rules for electronic funds transfer (EFT), electronic remittance advice (RA), and claims attachments. In addition, health plans will be required to certify their compliance. 5

6 HIPAA Omnibus Rule Much has changed in health care since HIPAA was enacted over fifteen years ago. HHS announces a final rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA (2009) The new rule will help protect patient privacy and safeguard patients’ health information (

7 Administrative Simplification
The purpose of this law is to “mandate new security standards to protect an individual’s health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.” 7

8 Administrative Simplification
Electronic transactions and code sets standards requirements Privacy requirements Security requirements National identifier requirements 8

9 HIPAA: Electronic transactions and code sets standards
Transaction Standards (ANSI X12N or NCPDP) A transaction is an electronic exchange of information between two parties to carry out financial or administrative activities related to health care. Under HIPAA, HHS adopted certain standard transactions for the electronic exchange of health care data. These transactions include: Claims and encounter information Payment and remittance advice Claims status Eligibility Enrollment and disenrollment Referrals and authorizations Coordination of benefits Premium payment ( 9

10 HIPAA: Electronic transactions and code sets standards
Under HIPAA, HHS adopted specific code sets for diagnoses and procedures used in all transactions. Code sets classify medical: Diagnoses; Procedures; Diagnostic tests; Treatments; Equipment and supplies They inform diverse health care functions, from billing to tracking public health. Code sets outlined in HIPAA include: ICD-10 – International Classification of Diseases, 10th edition Health Care Common Procedure Coding System (HCPCS) CPT-Current Procedure Terminology CDT – Code on Dental Procedures and Nomenclature NDC – National Drug Codes ( 10

11 HIPAA: Electronic transactions and code sets standards
Unique Identifiers: HIPAA establishes and requires unique identifiers for: Health plans – HPID, or Health Plan Identifier, is a standard, unique identifier for health plans  Employers – EIN, or Employer Identification Number, is issued by the Internal Revenue Service and is used to identify employers in electronic transactions  Providers – NPI, or National Provider Identifier, is a unique 10-digit number used to identify health care providers Patients – There is no adopted standard to identify patients NPIs and EINs must be used on all HIPAA transactions. ( 11

12 Privacy Rules The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information (PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. ( 12

13 The HIPAA Privacy Rules
Business Associates By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. Health care providers and health plans often use the services of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose PHI to these “business associates” (BA) if they obtain satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may not disclose PHI for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate. ( 13

14 The HIPAA Security Rules
The HIPAA Security Rule establishes national standards to protect individuals’ ePHI that is created, received, used, or maintained by a covered entity. The Security Rule requires the following appropriate safeguards to ensure the confidentiality, integrity, and security of electronic protected health information:   Administrative safeguards Physical safeguards Technical safeguards Organizational requirements

15 Common Security Breaches
Examples: Inside jobs, social engineering Brute force Eavesdropping, sniffing, snooping Data modification Identity spoofing Password-based attacks Denial of service attacks Man in the middle attacks Application layer attacks

16 Administrative Safeguards
Address process of security management in your organization. Risk analysis Evaluating likelihood and impact of potential risks to ePHI Implementing appropriate security measures to address identified risks Documenting security measures chosen, with rationale Maintaining continuous, reasonable, appropriate protections Ongoing process, with regular reviews Presenter :17:02 Administrative safeguards address the process you have put into place in your organization to administer security of the ePHI system. Each organization is required to identify and analyze potential risks to its ePHI, and it must implement security measures that reduce those risks and vulnerabilities to a reasonable and appropriate level. This is done using a risk analysis. A risk analysis process includes, but is not limited to, the following activities: Evaluate the likelihood and impact of potential risks to ePHI; Implement appropriate security measures to address the risks identified in the risk analysis; Document the chosen security measures and, where required, the rationale for adopting those measures; and Maintain continuous, reasonable, and appropriate security protections. This should be an ongoing process. Regular reviews should be performed to evaluate the effectiveness of the security measures put in place, and newly identified potential risks to ePHI should be addressed in an ongoing fashion.

17 Administrative Safeguards (cont.)
(For the tools and guidance, click on the links below.) Security Risk Assessment Tools HHS Security Risk Assessment Tool NIST HIPAA Security Rule Toolkit  Risk Analysis Guidance: Read the Guidance on Risk Analysis requirements under the Security Rule.

18 Administrative Safeguards (cont’d)
Designated security official Responsible for developing and implementing security policies and procedures. Knowledge of good HIPAA practices Familiarity with established IT security standards Ability to interface well with all levels of management and staff Policies & procedures for authorizing access to ePHI only when appropriate for one’s role (role-based access). Who gets access to ePHI data? What level of access is needed? Who is the agent authorizing the access? Is this authorization adequately documented? Is the access periodically reviewed?

19 Administrative Safeguards (cont’d)
Processes for appropriate authorization and supervision of workforce members who work with ePHI. Well-documented training of all workforce members in security policies and procedures Appropriate sanctions against violators.

20 Physical Safeguards: Access
Limit physical access to facilities, while ensuring that authorized access is allowed. Server rooms where ePHI is stored Work areas where ePHI is accessed Back-up media storage potentially containing ePHI Inventory hardware and software. Know where inventory is kept. Know value of hardware, software, equipment.

21 Physical Safeguards: Access
Limit physical access to facilities, while ensuring that authorized access is allowed. Server rooms where ePHI is stored Work areas where ePHI is accessed Back-up media storage potentially containing ePHI Inventory hardware and software. Know where inventory is kept. Know value of hardware, software, equipment. Presenter :17:02 Physical safeguards are written to address issues regarding facility access control, workstation use, workstation security, and device and media controls. This includes limiting physical access to work facilities without impeding access to those requiring access. This is particularly true in areas where ePHI may be present including work areas, server rooms, back-up media storage units, and the like. These areas require an extra level of protection to limit access to authorized users only and, whenever possible, create a structure for logging access, particularly any irregularities such as for maintenance staff, etc, who may require entry into these locations but are not considered routine in nature. Additionally, keeping a reliable hardware inventory – along with its value and locations – is also an important safeguard to preventing theft of a system which may inadvertently contain ePHI data. Component 8/Unit 6a Health IT Workforce Curriculum Version 2.0 Spring 2011

22 Physical Safeguards: Access (cont’d)
Policies and procedures for proper use of & access to workstations & electronic media, including transfer, removal, disposal, re-use. Lock down publicly-accessible systems potentially containing ePHI. Strong passwords (8-14 characters with variety of letters, symbols, numbers) changed regularly. At least 256-bit encryption, especially for wireless, backups, & offsite data. Media destroyed after being thoroughly wiped.

23 Technical Safeguards: Access Control
Access controls, audit controls, integrity, person, user/entity authentication, transmission security Most effective: layered approach. Multiple technologies employed concurrently. Adequate access controls include: AD (Active Directory), LDAP (Lightweight Directory Access Protocol) Vendor-specific controls usually part of EHR

24 Technical Safeguards: Firewall
Inspects incoming network traffic; permits or denies access based on criteria. Hardware- or software-driven. Blocks ports through which intruders can gain access (e.g., port 80, which regulates web traffic). Most commonly placed on network perimeter (network-based) or network device (host- based). EHR will require certain ports to remain open.

25 Firewalls Blocked Allowed Blocked Allowed Allowed NETWORK FIREWALL
COMPUTER FIREWALL Health IT Workforce Curriculum Version 2.0 Spring 2011

Download ppt "Privacy, Confidentiality, Security, and HIPAA"

Similar presentations

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Similar presentations

Ads by Google