Professional Documents
Culture Documents
Health Insurance Portability and Accountability Act (HIPAA) of 1996
Health Insurance Portability and Accountability Act (HIPAA) of 1996
PRIVACY RULE
Privacy Rule
Compliance required as of April 14, 2003
Defines national standards for protecting patients’ health
information.
Addresses use and disclosure of patient’s individual
health information, called protected health information
(PHI).
Provides for protection of patient health information while
allowing for communication of that information necessary
to provide proper patient care.
Privacy Rule
Sets limits and conditions on how patient information may be used
and disclosed
Gives patients rights over their health information, including rights to
examine and obtain a copy of their health records, and to request
corrections
Creates civil and criminal penalties for violations of patients’ privacy
Applies to these persons/groups, known as covered entities.
– Health plans
– Healthcare clearing houses
– Health providers who conduct healthcare transactions
electronically.
Privacy Rule
Covered entities must:
– establish policies and procedures to safeguard patients’ health
information
– reasonably limit uses and disclosures of health information to the
minimum needed to accomplish the intended purpose
– have contracts in place with their contractors and others (called
business associates) ensuring that they also use and disclose patient
health information properly and safeguard it appropriately.
– have procedures in place to limit who can view and access patient
health information
– implement training programs for employees about how to protect patient
health information.
Privacy Rule
Business Associates
– Individuals or organizations who perform functions for a covered
entity involving protected health information (PHI) but are not a
part of the covered entity’s workforce.
– Examples include:
• Medical transcription companies
• Billing/coding companies
• Release of information companies
• Attorneys, accountants, consultants, reviewers/auditors,
vendors, etc. who perform services for a covered entity and
have access to PHI
Privacy Rule
The Privacy Rule also establishes certain patient rights. Patients
may:
– review and get a copy of their health records
– request corrections to be added to their health information
– receive a notice outlining how health information may be used
and shared
– decide whether or not to give permission before their health
information can be used or shared for certain purposes, such as
for marketing
– get a report on when and why their health information was
shared for certain purposes
– file a complaint if they feel that their information is not being
protected, or if their rights are being denied
Privacy Rule
Protected Health Information
or the
SECURITY RULE
Security Rule
Compliance required as of April 20, 2005
Applies to the security of electronic protected health
information (ePHI).
Addresses security of patient health data in the
administrative, physical, and technical areas
Addresses standards for ensuring that healthcare
systems are only accessible by those with a need to
know.
Security Rule
or the
HITECH ACT
HITECH ACT
For the lowest tier – “if the covered entity did not know
and with the exercise of reasonable diligence would not
have known of the violation” – there is now a penalty
imposed, whereas previously there was not.
Civil Penalties (After HITECH)
With this new legislation, there is now a 4-tiered structure for civil penalties:
Violation Minimum Maximum Annual Limit (for
Penalty per Penalty per each year of the
Violation Violation violation) **
Individual did not know (and $100 $50,000 $25,000
by exercising reasonable
diligence would not have
known) of HIPAA violation
** Annual limits effective April 30, 2019. Previous interpretation of the Enforcement Rule set
the maximum annual limit at $1.5 million for ALL tiers.
Types of Criminal Penalties
WRONGFUL DISCLOSURES
– “Knowingly obtain or disclose” PHI
– Fine of not more than $50,000 per offense
– Prison term not more than one year
FALSE PRETENSES
– Fine of not more than $100,000
– Prison not more than five years
Shred
For shared
any documents
computers,containing
must havePHI
individual
(censususer
forms,
names
etc.)and
passwords
Do not printfor computer access
reports
For individual
Up-to-date computers,
antivirus no one else is to be allowed to use your
software
computer
Do not send PHI via e-mail, unless it is encrypted
Password protect your computer
Lock your computer when you leave it
Screen with PHI should not be visible to others
E-mail and Fax
E-mail
– If patient information must be shared over e-mail, then it should be
encrypted.
– A privacy statement must be included for all e-mails containing PHI,
similar to the fax cover sheet.
A secure workstation is essential, no matter if
you work in an office or work at home.
TRANSACTIONS
AND CODE SETS
STANDARD
Transactions and Code Sets
A transaction is an electronic exchange of information
between parties, for example when an physician’s office
submits a claim to an insurance company.