HIPAA

1
HIPAA

• Health Insurance Portability and Accountability
  Act
• 1996

2
HIPAA

• Highly Intricate Paperwork in Abundant Amounts

3
Discussion Topics

• Covered Entities
• Protected Health Information
• Patient Privacy Rights
• Virginia Public Records Act
• Security Requirements
• FERPA
• Electronic Medical Record

4
HIPAAWhat is it?

• Titles I V
• Portability
• Administrative Simplification

5
Administrative Simplification

• Transaction Code Set Rule
• Privacy Rule
• Security Rule
• Electronic Signatures Rule

6
Data Integrity, Confidentiality and Availability
of health care
YES!
HIPAA P-M-0509-01-00
7
Who Does HIPAA Apply To?Covered Entities

• All health care providers who
• Furnish, bill, and pay for health care services
  in the normal course of business and
• Transmit any health information in electronic
  form in connection with specified transactions
• All health care clearinghouses and
• All health plans.

8
What Does HIPAA Apply To?(PHI)

• Individually identifiable health information
• Any health care information maintained, used or
  communicated that
• Is created or received by a health care provider,
  health plan, public health authority, employer,
  life insurer, school or university
• Related to an individuals past, present or
  future physical or mental health or condition
• Identifies the individual or there is a
  reasonable basis to believe the individual can be
  identified.

9
Business Associate

• On behalf of such covered entity. Performs a
  function or activity involving the use or
  disclosure of individually identifiable health
  information ..

10
Covered Entity Requirements

• Privacy Officer
• Security Officer
• Listing of Covered Functions
• Certify HIPAA Compliance

11
Statement of Privacy Rights

• Right to request restrictions on disclosures
• Right to receive confidential communication
• Right to inspect and copy information
• Right to amend information and
• Right to receive an accounting of disclosures.

12
Permissible Disclosures

• To the Individual
• For Treatment, Payment or Health Care Operations
  and
• Incidental to a Use or Disclosure Otherwise
  Permitted.

13
Permissible Disclosures(requires disclosure note)

• Public Health Activities
• Victims of Abuse, Neglect, or Domestic Violence
• Health Care Oversight Organizations
• Judicial and Administrative Proceedings
• Limited Information for Law Enforcement
• Coroners and Funeral Directors
• For Organ or Tissue Donations

14
Authorization for Disclosure

• Specify what information to disclose, where to
  disclose it and for what time period.
• Designate a Personal Representative.
• Define manner of communication.

15
Audit of Disclosures

• Patients right to know disclosures for a period
  of six years.
• Record permissible disclosures that are not for
  tx., payment, or internal operations.
• Record retention is six years.

16
Security versus Privacy

• It is possible to secure information without
  making it private, however, it is not possible to
  protect privacy without having security.
• Security is defined as the ability to control
  access and protect information from accidental or
  intentional alteration, destruction, loss or
  disclosure to unauthorized persons.
• Privacy is defined as controlling who is
  authorized to access information.

17
Security Rule

• Designed to protect electronic data at rest and
  in transit through
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards.
• The security standards work in concert with the
  final privacy standards by using many of the same
  terms and definitions.

18
Guard Data Integrity, Confidentiality, and
Availability

• Chain of Trust Partner Agreement
• Risk Assessment
• Contingency Plan
• Formal Mechanism for Processing Records
• Information Access Control

19
Continued. .

• Personnel Security
• Security Incident Procedures
• Security Awareness Training
• Communications or Network Controls and
• Data Authentication.

20
Steps to HIPAA Security Compliance
21
Whos accountable?

• HIPAA has civil penalties for failure to use
  adopted standards and criminal penalties for
  wrongfully disclosing confidential information.
• The civil penalties consist of fines of 100 per
  incident, up to 25,000 per person, per year, per
  standard violated.
• The federal criminal penalties range up to
  250,000 to 10 years in prison for knowingly and
  improperly disclosing or obtaining protected
  health information under false pretenses.

HIPAA P-M-0509-01-00
22
Virginia Public Records Act

• Governs all boards, commissions, departments,
  divisions, institutions, authorities, or parts
  thereof.
• Establishes more stringent requirements than
  HIPAA.

23
Health Records

• HIPAA
• 164.501 Designated Record Set
• (2) The term record means any item, collection,
  or grouping of information that includes
  protected health information and is maintained,
  collected, used, or disseminated by or for a
  covered entity.

• Virginia
• 42.1-77 Medical records means the documentation
  of health care services, whether physical or
  mental, rendered by direct or indirect
  patient-provider interaction which is used as a
  mechanism for tracking the patients health
  status.

24
The Bridge BetweenPrivacy, Security and
Electronic Health Records

• Electronic Health Records
• Electronic software that electronically stores
  and transports standardized patient health
  information from one health care provider to
  another and is accessible (and usable) by
  providers.

25
National Initiative

• By computerizing health records, we can avoid
  dangerous medical mistakes, reduce costs and
  improve care.
• George W. Bush, State of the Union Address

26
Presidents Information Technology Advisory
Committee

• 21st Century Health Care Information
  Infrastructure
• Electronic health records (EHR)
• Computer-assisted clinical decision support
  (CDS)
• Computerized provider order entry (CPOE) and
• Secure, private, interoperable, electronic health
  information exchange.

27
EHRInteroperability

• The ability of two or more systems or components
  to exchange information and to use the
  information that has been exchanged.
• Regulated by the HIPAA Transactions and Code Sets
  Rule, Privacy Rule, and Security Rule
• Virginia HB 2236 (2005)
• Executive Directive 6

28
How Can the EHR Enhance Privacy and Security?

• Control Physical and System Access
• Monitor Workstation Use and Security
• Audit Access and Need-to-Know
• Enhance Device and Media Controls
• Employ Transmission Security

29
Managing Physical Access

• Systems are physically inaccessible to
  unauthorized users
• A Security Plan addresses safeguards against
  tampering and theft and
• Contingencies in place to recover or restore lost
  data.

30
Managing Technical/System Access

• Identification and authentication
• Access control lists
• Automatic log-off and
• Some job functions might only be available at
  certain workstations

31
Monitoring and Audit Controls

• Intrusion detection
• Audit users for authorized use of PHI
• Apply sanctions for failure to comply with
  policies and procedures

32
Transmission Security

• Encryption
• The transformation of plain text into an
  unreadable cipher text.

33
Family Educational Rights and Privacy Act

• FERPA

34
FERPA

• Provide a parent access to their childs
  educational records.
• Provide a parent an opportunity to seek
  correction of records they believe to be
  inaccurate.
• Obtain written permission of a parent before
  disclosing information contained in the students
  educational record.

35
Educational Records

• Directly related to a student and
• Maintained by an educational agency or
  institution or by a party acting for the agency
  or institution.
• Record means any information recorded in any way,
  including, but not limited to, handwriting,
  print, computer media, video or audio tape, film,
  microfilm, and microfiche.

36
Responsibility

• An educational agency or institution shall give
  full rights under the Act to either parent,
  unless the agency or institution has been
  provided with evidence that there is a court
  order, State statute or legally binding document
  relating to such matters as divorce, separation,
  or custody that specifically revokes these rights.

37
Permitted Disclosures

• To other school officials within the agency or
  institution that have a legitimate educational
  interest.
• To officials of another school where the student
  seeks to enroll.
• Authorized government officials.
• To comply with a judicial order or lawfully
  issued subpoena.

38
Schools Must

• Inform parents and eligible students of their
  rights under FERPA.
• Maintain an audit of requests and disclosures of
  educational records.
• Record and report any requests to amend the
  educational records whether granted or not.

39
HIPAA FERPA

• Information contained in an educational record is
  protected by FERPA.
• Information requested by the school but stored
  elsewhere (i.e. school nurse) could be protected
  by HIPAA.

40
Whos Accountable

• Enforced by the Family Policy Compliance Office,
  U.S. Department of Education.
• Compliance is complaint driven.
• If educational agency does not comply with a
  remediation plan, the Secretary can withhold
  payments under any applicable program, issue a
  cease-and desist order or terminate eligibility
  to receive further funding.

41
(No Transcript)
42
ThanksYouve just experienced HIPAAnosis
HIPAA P-M-0509-01-00