The Basics of HIPAA
DamianKnowles1
2,656 views
35 slides
May 02, 2021
Slide 1 of 35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
About This Presentation
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
Slide Content
SECTION 1 THE BASICS OF HIPAA COMPLIANCE A BEGINNER'S GUIDE
COURSE OUTLINE WHAT WE'RE COVERING We will cover the progression of HIPAA from origin until the present. This presentation will include COVID19 updates. Next, we will focus on The HIPAA Privacy and Security Rules.
DISCLAIMER This Guide is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers and professionals to seek expert advice when evaluating the use of this Guide. DAMIAN KNOWLES
A BRIEF HISTORY WHAT IS HIPAA ? HIPAA is an acronym for “The Health Insurance Portability and Accountability Act.” This Act covers Privacy, Security, and Breach Notification Rules which protect a patient’s health information. It protects the civil rights of their health information. DAMIAN KNOWLES
A BRIEF HISTORY WHEN WAS HIPAA STARTED ? HIPAA came into existence on August 21st, 1996 and it was signed into law by President Bill Clinton. DAMIAN KNOWLES
A BRIEF HISTORY WHAT IS THE INTENT OF HIPAA ? HIPAA is meant to improve the level of responsibility and portability of the health insurance for employees between their jobs. Another objective was to curb corruption by health insurance and the health care industry as a whole. HIPAA administered guidelines for the healthcare industry to protect the patient’s medical health records. As technology advanced, the Act by means of the Health Information Technology for Economic and Clinical Health Act ( HITECH ) in 2009, provided a financial incentive for healthcare providers to migrate to electronic health record maintenance. Meanwhile, Congress recognized that advances in electronic technology could negatively impact the privacy of health information. Consequently, Congress incorporated provisions that required the adoption of Federal privacy protections for individually identifiable health information. DAMIAN KNOWLES
A BRIEF HISTORY WHO MUST COMPLY WITH HIPAA ? Covered entities and business associates, as applicable, must follow HIPAA rules. If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA rules DAMIAN KNOWLES
COMMONLY USED TERMS Implementation Specification An implementation specification is a more detailed description of the method or approach primary care organizations can use to meet a particular requiremen t Addressable Add ressable means that there is flexibility in how the implementation is made not if it is made. It means you must address the specification in some way or address the standard itself in some way by at least assessing the risk. Required “Required” rules simply mean that you implement them, or you automatically fail to comply with the Security Rule.
BUSINESS ASSOCIATES A business associate is a person or organization, other than a workforce member of a covered entity, that performs certain functions on behalf of or provides certain services to, a covered entity that involves access to PHI. WHAT IS A COVERED ENTITY? Presentations are communication tools that can be used as demonstrations, lectures, speeches, reports, and more.
HEALTH CARE PROVIDERS, HOSPITALS, NURSING HOMES, AND PHARMACIES. HEALTH PLANS HEALTH CARE CLEARINGHOUSES Examples of Covered Entities ANY SUBCONTRACTOR OF A COVERED ENTITY WITH ACCESS TO PROTECTED HEALTH INFORMATION: E-PRESCRIBER GATEWAYS, TRANSCRIPTIONISTS LAWYERS Examples of Business Associates
3 MUST KNOW HIPAA RULES The Breach Notification Rule, requires covered entities to notify affected individuals; U.S. Department of Health & Human Services (HHS); and, in some cases, the media of a breach of unsecured PHI. The Breach Notification Rule The Security Rule specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI) The Security Rule The Privacy Rule, sets national standards for when protected health information (PHI) may be used and disclosed The Privacy Rule
HIPAA BASICS WHAT TYPES OF INFORMATION DOES HIPAA PROTECT? The Privacy Rule protects most individually identifiable health information held or transmitted by a CE or its BA, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “protected health information” or “PHI.”
COMMONLY USED TERMS WHAT IS PROTECTED HEALTH INFORMATION? Protected Health Information (PHI) is defined as any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form, including verbal communications.PHI is information that can be linked to a particular person and that is created, used, or disclosed while providing a health care service (i.e., diagnosis or treatment)
HIPAA BASICS WHO IS RESPONSIBLE FOR ENFORCEMENT? The HHS Office for Civil Rights Health and Human Services, Office for Civil Rights, handles the enforcement of the HIPAA Privacy and Security Rules.
A laptop with 1,391 individuals’ ePHI was stolen. $2.5M The investigation revealed insufficient risk analysis and risk management processes in place at the time of the theft.
FINES ARE BASED ON INTENT PENALTIES FOR VIOLATIONS Did Not Know or Could Not Have Known Reasonable Cause and Not Willful Neglect Willful Neglect, but Corrected Within 30 Days Willful Neglect and Not Corrected Within 30 Days 0K 25,000K 50,000K 75,000K 100,000K 125,000K Wilful 30+ Wilful 30 Reasonable Didn't Know
HIPAA BASICS THE HIPAA PRIVACY RULE HIPAA PRIVACY RULE LIMITS USES AND DISCLOSURES OF PATIENT INFORMATION
Yes, a CE must prominently post and distribute an NPP . The notice must describe the ways in which the CE may use and disclose PHI. The notice must state the CE’s duties to protect privacy, provide an NPP , and abide by the terms of the current notice. DO I NEED TO INFORM MY PATIENTS ABOUT HOW I USE OR DISCLOSE THEIR HEALTH INFORMATION?
NPPs must include the following information: How the CE may use and disclose an individual’s PHI The individual’s rights with respect to the information A statement that the CE is required by law to display the privacy policies and how the individual may exercise these rights, How the individual may complain to the CE The CE’s legal duties with respect to the information, maintain the privacy of PHI Whom individuals can contact for further information NOTICE OF PRIVACY PRACTICES
A CE may disclose PHI when: Treating a Patient, Managing Payment Activities, Both CE's have a relationship with the patient, Quality assessments Assessment Reviews, or Fraud and abuse detection or compliance. DO I HAVE TO GET MY PATIENTS’ PERMISSION TO DISCLOSE THEIR PHI WITH ANOTHER CE?
You may disclose, without a patient’s authorization, PHI about the patient as necessary for treatment, payment, and health care operations purposes. WHEN ARE PATIENT AUTHORIZATIONS NOT REQUIRED FOR DISCLOSURE?
Yes. To make disclosures to family and friends involved in the individual’s care or for notification purposes, or to other persons whom the individual identifies, you must obtain informal permission by asking the individual outright, or by determining that the individual did not object in circumstances that clearly gave the individual the opportunity to agree, acquiesce, or object. DO I NEED PERMISSION FOR DISCLOSURES TO FAMILY, FRIENDS, AND OTHERS INVOLVED IN THE CARE OF THE INDIVIDUAL AS WELL AS FOR NOTIFICATION PURPOSES?
You may disclose PHI without individual authorization in the following situations: To send immunization records to schools, To a public health authority that is authorized by law To a foreign government agency To persons at risk of contracting or spreading a disease DO I NEED PERMISSION FOR DISCLOSURES INFORMATION IF NEEDED TO ENSURE PUBLIC HEALTH AND SAFETY ?
WHEN ARE PATIENT AUTHORIZATIONS REQUIRED FOR DISCLOSURE? Psychotherapy Notes Marketing Activities PHI Sales and Licensing Research
WHAT IS DE-IDENTIFIED PHI? DE-IDENTIFIED HEALTH INFORMATION NEITHER IDENTIFIES NOR PROVIDES A REASONABLE BASIS TO IDENTIFY AN INDIVIDUAL.
WHAT ABOUT PATIENT INFORMATION PERTAINING TO BEHAVIORAL HEALTH OR SUBSTANCE ABUSE? THE HIPAA RULES APPLY EQUALLY TO ALL PHI, INCLUDING INDIVIDUALLY IDENTIFIABLE BEHAVIORAL HEALTH OR SUBSTANCE ABUSE INFORMATION THAT YOUR PRACTICE COLLECTS OR MAINTAINS IN A PATIENTS’ RECORD.
FEDERAL AND STATE PRIVACY LAWS — WHICH PREVAIL? THE HIPAA RULES DO NOT OVERRIDE SUCH STATE LAWS THAT DO NOT CONFLICT WITH THE RULES AND OFFER GREATER PRIVACY PROTECTIONS
The HIPAA Security Rule These Security Rule safeguards can help health care providers avoid some of the common security gaps that could lead to cyber-attack intrusions and data loss.
Administrative safeguards are administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations. Administrative SECURITY RULE SAFEGUARDS These safeguards are physical measures, policies, and procedures to protect electronic information systems and equipment from natural and environmental hazards and unauthorized intrusion. Physical These standards require a CE to have contracts or other arrangements with BAs that will have access to the CE’s ePHI. Organizational These standards require a CE to adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule Policies
The HIPAA Breach Notification Rule A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.
RISK ASSESSMENT PROCESS FOR BREACHES When you suspect a breach of unsecured PHI has occurred, first conduct a risk assessment in order to examine the likelihood that the PHI has been compromised.
REPORTING BREACHES If after performing the risk assessment, you determine that breach notification is required, there are three types of notification to be made. To individuals, to the Secretary of HHS, and, in some cases, to the media.
OTHER LAWS AND REQUIREMENTS Sensitive Health Information Some laws recognize that particular health conditions may put individuals at a higher risk for discrimination or harm based on that condition. Some state laws require special treatment and handling of information relating to alcohol and drug abuse, genetics, domestic violence, mental health, and HIV/AIDS Adolescent/Minors’ Information State and federal laws generally authorize a parent or guardian access. Depending on age and health condition (e.g., reproductive health, child abuse, mental health minors also have privacy protections related to their ability to consent for certain services under federal or state law. Private Sector A contracting health plan or payer may require additional confidentiality or safeguards
HealthIT .Gov Guide to Privacy and Security The HIPAA Security Rule Summary of the Security Rule The HIPAA Privacy Rule Summary of the Privacy Rule REFERENCES
wwww . damianknowles .com
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 2,656
- Slides 35
- Age 1675 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views