Transcript
1
The Health Insurance Portability and Accountability Act (HIPAA) is comprised of two overarching parts--the Privacy Rule and Security Rule. The HIPAA Privacy Rule provides federal protections for personal health information and provides patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
This presentation will focus on ePHI (Electronic Protected Health Information) which is patient health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media.
Electronic media includes computers, laptops, CDs/DVDs/disks, memory sticks, smart phones, PDAs, servers, networks, dial-modems, email, web-sites, etc.
2
HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations.
2
A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Because HIPAA targets how healthcare professionals use and or disclose the patients personal health information, this hopefully can enable the patient feel more at ease in regards to maintaining privacy of their records.
The Privacy Rule permits uses and disclosures incidental to an otherwise permitted use or
3
disclosure, provided minimum necessary and reasonable safeguard standards are met.
Examples: • talking to a patient in a semi-private room • talking to other providers if passers-by are present • waiting-room sign-in sheets; patient charts at bedside.
• Allows for common practices if reasonably performed
3
The following are computerized and security means of limiting access to portions of patient's records. 1. Unique User ID or Log-In Name i.e. User Access Controls 2. Password Protection (e.g. Jerusalem = Jeru$@!em) 3. Security for Workstations, Portable Devices & Laptops with ePHI 4. Data Management, e.g., back-up, archive, restore, disposal. 5. Secure Remote Access 6. E-Mail Security 7. Safe Internet Use and social media policies
4
HIPAA requires that Grace Hospital train its workforce members about the University’s HIPAA policies and specific procedures which may affect the w ork you do. These rules apply to you when you look at, use, or share Protected Health Information (PHI). Examples of patients information: • Patients name or address • Social Security or other ID numbers • Doctor’s/ Nurse’s personal notes • Billing information
Covered entities such as us, may use or disclose PHI under these provisions if required conditions are
5
met:
• • • • • As required by law For public health activities About victims of abuse, neglect or domestic violence For health oversight activities For judicial and administrative proceedings
Not all healthcare professionals need to have access to all components of the patient’s health information. For example, the hospital engineer entering a patient’s room to fix the television does not need to know the patients diagnosis. But you as a ancillary staff, do need to know the patient’s diagnosis to provide adequate care. Now, if the patient was infectious the only information that would be required is what protective equipment should the engineer wear. Again, the administrative safeguards play a vital role into the daily practices of Associates. Policies and procedures govern the practice and uphold the high standards of practice required when caring for people.
5
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.
6
A business associate is a person who, on behalf of a covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity. Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal
7
gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
7
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.
8
On January 25, 2013, The U.S. Department of Health and Human Services (HHS) published a long awaited “Final Rule” called “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule). There are three (3) specific areas that healthcare providers will need to focus on to comply with the new Omnibus Rule: • Privacy, Security, and Breach Notification policies and procedures; • Notice of Privacy Practices (NPP); and • Business Associate (BA) Agreements. The Omnibus Rule became effective on March 26, 2013, with a compliance period of 180 days, requiring all providers to be compliant with the new regulations by September 23, 2013. Business Associate Agreements provides that a business associate may use or disclose PHI only if such use or disclosure is in accordance with the HIPAA Privacy Rule’s required terms for business associate contracts.
9
The above-mentioned bill updates provisions establishing the duties of the executive commissioner of the Health and Human Services Commission (HHSC) with regard to protected health information. The bill includes provisions relating to training required for employees of covered entities, consumer access to and use of protected health information, and a report by the attorney general regarding consumer complaints
This bill raises and sets caps on the civil penalty that may be assessed against a covered entity for a violation of state medical records privacy laws based on certain standards of culpability and includes provisions relating to an action by the attorney general and the disciplinary powers of a licensing agency with regard to a violation of state medical records privacy laws. House Bill 300 requires HHSC, in consultation with TSHA and the Texas Medical Board, to review issues regarding the security and accessibility of protected health information maintained by an unsustainable covered entity and to submit a legislative report including certain recommendations regarding those issues not later than December 1, 2012. The bill creates a task force on health information technology and
10
requires the attorney general, not later than December 1, 2012, to appoint the task force members and chair.
10
11
12
13
