Complying with HIPAA Privacy Rule
What is HIPAA? • HIPAA: Health Insurance Portability and Accountability Act • It was passed by Congress in 1996 • It includes requirements for: – Transfer and continuation of health insurance coverage for millions of American workers and their families when they change or lose their jobs – Reducing healthcare fraud and waste – The protection and confidential handling of protected health information
HIPAA Privacy Rule • Establishes national standards to protect individuals’ medical records and other personal health information • Imposes restrictions on the use/disclosure of personal health information • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
• Applies to: • health plans, • healthcare clearinghouses, and • those healthcare providers that conduct certain healthcare transactions electronically.
What is Protected Health Information (PHI)? Protected Health Information (PHI) or “Individually identifiable health information” is information, including demographic data, that relates to: – the individual’s past, present or future physical or mental health or condition, – the provision of health care to the individual, or – the past, present, or future payment for the provision of health care to the individual, – and any information that identifies the individual
Individually identifiable health information can be the name, address, birth date, Social Security Number and so on.
What is Notice of Privacy Practices? • Each covered entity must provide a notice of its privacy practices. • The notice, in plain language, must include: – the ways in which the covered entity may use and disclose protected health information – the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice – the individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated – a point of contact for further information and for making complaints to the covered entity – an effective date
Permitted Use and Disclosure of Information A covered entity may disclose PHI to the individual who is the subject of the information. • PHI can be disclosed without individual’s permission/authorization for 12 national priority purposes: – Required by law – Public health activities – Victims of abuse, neglect or domestic violence – Health oversight activities – Judicial and administrative proceedings – Law enforcement purposes – Decedents (PHI may be disclosed to coroners/medical examiners/funeral directors to identify the deceased) – Cadaveric organ/eye/tissue donation – Research – Serious threat to health and safety – Essential government function – Workers’ compensation
Reasonable Safeguards • Incidental disclosure of PHI is allowed as long as covered entities have implemented/adopted reasonable safeguards . • The following would be considered reasonable safeguards: – Speaking in a low voice when speaking to family members of a patient in a public area like a waiting room – Not using patients’ names in public hallways and elevators when discussing cases – Posting notices/signs in public areas reminding employees to respect patient confidentiality – Limiting access to areas/rooms where patient data is stored – through access cards/ biometric identification/locks – Implementing additional security measures on machines/computers where patient data is stored – these can be passwords/unique log-in ids to approved individuals and so on
Want to learn more about HIPAA, its requirements and best practices to comply with them? ComplianceOnline webinars and seminars are a great training resource. Check out the following links: • How to examine security policies, practices, and risk issues to comply with HIPAA • How to use social media and texting without breaking HIPAA rules • How to Conduct risk analysis to comply with HIPAA • HIPAA/HITECH Assessment for Healthcare Business Associates • How to comply with HIPAA Omnibus Rule • Understanding new rules and responsibilities of Privacy Officer under HIPAA • HIPAA Security and Breach Rule Compliance