Professional Documents
Culture Documents
HIPAA Training
HIPAA Training
It is a federal law enacted in the United States in 1996. Its primary purpose
is to address various healthcare-related issues, including health insurance
coverage, portability of health insurance, and the privacy and security of
individuals' protected health information (PHI).
3. WHAT IS PHI / ePHI
PHI - PROTECTED HEALTH INFORMATION
ePHI - ELECTRONIC PROTECTED HEALTH INFORMATION
• Protected health information (PHI) is any information in the
medical record or designated record set that can be used to
identify an individual and that was created, used, or disclosed
in the course of providing a health care service such as diagnosis
or treatment.
• It must be protected no matter how or where it is collected,
transmitted, or stored and cannot be disclosed without the
patient’s knowledge or consent.
4. ePHI IDENTIFIERS
THE OFFICE OF CIVIL RIGHTS (OCR)
5. PURPOSE OF HIPAA
• The purpose of HIPAA laws is to establish a set of national standards
regarding the use of health data. Additionally, these laws hold
healthcare providers and insurance companies accountable for the
ways in which they use PHI.
• HIPAA regulations have been adapted to focus on patient rights in a
digital world. As the number of cyber attacks continues to increase,
HIPAA laws help protect both providers and patients from data
breaches.
6. HIPAA SCOPE
• HIPAA applies to all healthcare facilities, healthcare providers, and
healthcare clearinghouses (insurance and billing companies) who transmit
PHI electronically. These businesses are referred to as “covered entities.”
• HIPAA requirements also extend to the relationships between covered
entities and their vendors (“business associates”), particularly those that
handle PHI or other sensitive data.
• Technology-based business associates include companies that create and
manage electronic health record systems, prescription management
programs, and billing software. These companies contract directly with
covered entities and are therefore subject to HIPAA requirements.
7. HIPAA SCOPE PERTAINING TO AXELLIANT
• Software developers, system and business analysts, UI/UX designers,
software testers and all other roles involved in the software
development and maintenance.
• Network engineers responsible for maintaining the network,
implementing security, and managing computers and other IT
equipment.
• Management in direct chain of command.
• Any other personnel exposed to PHI in the performance of their duties.
8. HIPAA REQUIREMENTS
a) Privacy Rule
b) Security Rule
i. Administrative Safeguards
ii. Technical Safeguards
iii.Physical Safeguards
c) Breach Notification Rule
d) Enforcement Rule
9. PRIVACY RULE
• Privacy Rule applies to Protected Health Information in any format.
• The HIPAA Privacy Rule protects an individual’s health information and other
identifying information by limiting the permissible uses and disclosure of such
information by “covered entities” and “business associates” without an individual’s
authorization. The information cannot be used for purposes other than those for
which it was collected without first providing patients with a clear notice informing
them of their right to opt-out of such use and how they may do so.
• The rule also gives individuals the right to request copies of their information and
request corrections when omissions or errors exist.
• Business Associates may also be required to comply with the Privacy Rule
depending on the service being provided.
9. PRIVACY RULE (Contd.)
• The Security Rule also provides standards for ensuring that data are
properly destroyed when no longer needed.
10. SECURITY RULE (Contd.)
• Assign Security Officer • Technical Safeguards
o Access Control.
• Risk Analysis and Management o Audit Controls
o Integrity Controls
• Administrative Safeguards o Transmission Security.
o Security Management Process
o Security Personnel • Organizational Requirements
o Information Access Management o Covered Entity Responsibilities.
o Workforce Training and Management o Business Associate Contracts.
o Evaluation
• Documentation of Policies and
• Physical Safeguards Procedures
o Facility Access and Control
o Workstation and Device Security.
11. BREACH NOTIFICATION RULE
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA
covered entities and their business associates to provide notification following
a breach of unsecured protected health information
Submitting Notice of a Breach to Customer
Axelliant must notify the customer if it discovers a breach of unsecured protected health information. If a breach of
unsecured protected health information occurs at or by a Axelliant workforce member, Axelliant will notify the customer
following the discovery of the breach.
• Breaches Affecting 500 Or More Individuals
If a breach of unsecured ePHI affects 500 or more individuals, Axelliant will notify the customer of the breach without
unreasonable delay and in no case later than 15 calendar days from the discovery of the breach.
• Breaches Affecting Fewer Than 500 Individuals
If a breach of unsecured ePHI affects fewer than 500 individuals, Axelliant will notify customer of the breach within 30
days of the breach or before the end of the calendar year in which the breach was discovered whichever comes first.
• Breaches Affecting Unknown Number of Individuals
If the number of individuals affected by a breach is uncertain at the time of submission, Axelliant will provide an
estimate, and, if it discovers additional information, submit updates.
12. BREACH NOTIFICATION PLAN
INCIDENT
DETECTION BY TEAM LEAD /
WORKFORCE MANAGER
MEMBER
DATA BREACH
INCIDENT
REPORTING RESPONSE AND
NOTIFICATION
SECURITY OFFICER
PLAN
YES INVESTIGATION,
EVALUATION BY DATA GATHERING, REPORT BREACH
DATA BREACH
SECURITY OFFICER DOCUMENTATION TO MANAGEMENT
AND LOGGING
NO
INCIDENT/
VIOLATION
RECOMMEND NOTIFY
ASSESSMENT,
MEASURES CUSTOMER
DOCUMENTATION
AND LOGGING