Welcome back everyone.
When patients are in our care, they become
vulnerable and risks to their privacy exists.
As patient advocates, it's our
responsibility to ensure we protect them.
One way to protect their personal information is under
the Health Insurance Portability and Accountability Act.
The Health Insurance Portability and
Accountability Act or HIPAA was created primarily
to modernize the flow of healthcare information, stipulate
how personally identifiable information maintained
by the healthcare and the healthcare insurance
industry should be protected from fraud and theft
and to address limitations on
healthcare insurance coverage.
As the name implies, Personally Identifiable Information
of PII is any data that can identify a person.
Certain information like full name, date of birth,
address, and biometric data are always considered as PII.
Although it doesn't explicitly address
personally identifiable information,
HIPAA regulate situations like this under the
term, Protected Health Information (PHI).
PHI includes anything used in the medical
context that can identify patients, such as:
their name, address, birthday, credit card number,
driver's license or the medical record number.
Now there are 5 HIPAA rules.
HIPAA Privacy rule,
HIPAA Security rule,
the Breach Notification rule,
the Omnibus rule
and the Enforcement rule.
The HIPAA Privacy Rule.
This rule dictates how, when and under what
curcumstances PHI can be used and disclosed.
It applies to all healthcare organizations
clearinghouses and entities that provide health plans.
It sets limits regarding the use of patient information
when no prior authorization has been given by the patient.
It also mandates patients and their representatives
have the right to obtain a copy of their health records
and request corrections to errors.
Now covered entities have 30 days to
respond to these types of requests.
The HIPPAA Security Rule.
This sets the minimum standards
to safeguard electronic PHI.
Anyone who can access, create, alter or transfer
electronic PHI must follow these standards.
The HIPPAA Security rule has 3 safeguards:
Techinal safeguards include encryption - if the
data goes outside the company's firewall.
It has physical safeguards which may
relate to the layout of work stations,
for example, screens can't be
seen from the public area.
And administrative safeguards.
This requires a security officer and a privacy
officer to conduct regular risk assessments and audits.
Now these assessments aim to identify any ways
in which the integrity of PHI is threatened
and build a risk management
policy off the back of this.
The Department of Health and Human Services must
be notified if a data breach has been discovered.
So the Breach Notification Rule.
Notification must be within 60 days of the breach's
discovery for incidents involving 500 or more individuals.
Notification must be within 60 days
of the end of the calendar year
in which the breach was experienced
for breaches of fewer than 500 records.
And individuals whose personal information has been
compromised must also be informed within 60 days.
If greater than 500 patients were
affected in a particular jurisdiction,
a media notice must be issue to a
prominent news outlet servinig that area,
The Omnibus Rule.
This extends HIPAA coverage
to business associates.
It prohibits use of PHI for marketing or
fund raising purposes without authorization.
And it outlines new penalty
tiers for violations of HIPAA.
The Enforcement Rule.
Should a breach of PHI occur, this rule lays out
how any resulting investigations are carried out.
Once the level of negligence has been
determined, appropriate fines can be issued.
HIPAA covered entities are required to implement
safeguards to ensure the confidentiality,
integrity and availability of electronic PHI.
Arguablyone of the most important
safeguards, is encryption.
Especially on portable devices such as laptop
computers that are frequently taken off site
Common HIPAA violations include:
Risk analysis features
Risk management features
Lack of encryption or alternative safeguards
Security awareness training failures
Improper disposal of PHI
Impermissible disclosures to PHI
Failure to adhere to to the minimum necessary standard
Failure to provide patients
with copies of PHI on requests
Failure to issue breach
So remember, compliance with
HIPAA si an ongoing exercise.
So in thinking of everything we've covered
today, I'd like you to consider this question,
What are 4 security requirement
for electronic PHI under HIPAA?
They are encryption, passwords, record
retention, and violation reporting.
I hope you've enjoyed today's video on HIPAA
Thanks so much for watching.