- What is HIPAA and its importance?
- Security and Privacy Rules
- HIPAA Titles
- Most common issues
- HIPAA Violations
- Covered entities
- Cyber Attacks
- HIPAA Breach Notification Rule
- SRA Tool
HIPAA stands for Health Insurance Portability and Accountability Act, is a US federal law approved on 1996, that required the creation of national standard to protect sensitive patient health information from being disclosed without the patient's conset or knowledge.
The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requeriments of HIPAA.
- Standards for PHI and PII.
- Right to access.
Privacy Rule standards address the use and disclosure of individuals' health information (PHI: Protected Health Information) and personal information (Personally Identifiable Information) by entities subject to the Privacy Rules. These individuals and organizations are called "covered entities".
Privacy Rule also contains standards for individuals' rights to understand and control how their health information is used.
A major goal is to ensure that individuals' PHI is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being. It strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.
While HIPAA Privacy Rule safeguards PHI, the Security Role protects a buset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called "Electronic Protected Health Information (e-PHI)". The Security Rule does not apply to PHI transmitted orally or in writing.
To comply with HIPAA Security Rule, all covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all electronic PHI.
- Detect and safeguard against anticipated threats to the security of information.
- Protect against anticipated impermissible uses of disclosures.
- Certify compliance by their workforce.
Security Rule cover:
- Security standards for the protection of e-PHI.
- Administrative Safeguards.
- Physical Safeguards.
- Technical Safeguards.
- Lose or change jobs
- Group health plans
Title 2: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
- Security and Privacy Rules for PHI and PII.
- Outline civil and criminal penalties.
- Pre-tax dollars in medical saving accounts.
- HSA (Health Saving Accounts) may satisfy the definition of a "health plan" under HIPAA privacy rules, and therefore, be considered a "covered entity" and would need to comply with applicable HIPAA privacy rules.
- Pre-existing
- Coverage continuation (COBRA) until new coverage policy takes effect (useful for changing jobs while losing coverage for a period of time).
- Company owned life insurance.
- Citizenship.
- Misuse
- No protection
- Patient access
- Minimum necessary
- No safeguards for e-PHI
- Civil
- Criminal
- Accidently.
- Reasonable cause.
- Willful neglect and corrected.
- Willful neglect and not corrected.
- Willful and knowingly obtain/disclose PII/PHI.
- False pretenses.
- Intent to sell, transfer, or use PII/PHI for commercial advantage, personal gain, or malicious harm.
- Disclosing HIV testing of a patient in a public place.
- Faxing records to the wrong location.
- Accessing records without a need to know.
- Losing unencrypted hardware.
- Fraudulent paperwork.
- Public calendar.
- Data exposure.
The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
- Business associates
Most common entities are:
- Private Practices
- Hospitals
- Outpatient Facilities
- Group Insurance Plans
- PHarmacies
Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquires, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
Entities that provide or pay the cost of medical care.
Exception: a group health plan with fewer than 50 participants that is administered solely by the employer thaty established and maintains the plain is not a covered entity.
Entities that process nonstandard information they receive from another entity into a standard (format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individual identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
A person or organization (other than a member of covered entity's workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data anyltics, utilziation review, and billing.
- Know different types of malwares.
- Know different types of malware delivery (phishing, malvertising, insidet threats, removable devices)
According to HHS, a breach is any type of impermissible use or disclosure under Privacy Rule (PHI/PII).
There is different levels of breach notifications based on data involved on the breach:
- Individual
- Media (> 500 individuals affected)
- HHS Secretary
You can get SRA tool from www.healthit.gov by looking for hipaa security risk assessment tool.