THE BASICS OF HIPAA

HIPAA: WHAT IS IT?

• HIPAA does the following:• Creates standards for protecting the

privacy of health information • Creates standards for the security of

health information • Creates standards for electronic exchange

of health information

WHAT IS COVERED BY HIPAA?

• Protected Health InformationThe HIPAA privacy rule covers and sets standards for the collecting, sharing and storing of a person’s Protected Health Information, or PHI, for short. PHI is information that:

• Relates to past, present or future physical or mental health or condition, payments and provisions about healthcare.

• Identifies the individual in a personal way. • Provides a reasonable basis to be used to identify the

individual.• Is created or received by a Covered Entity.

WHAT IS PRIVATE HEALTH INFORMATION?

Protected health information (PHI) is:• Individually identifiable health information • Transmitted or maintained in any form or medium

by a Covered Entity or its Business Associate • Health information, including demographic

information • Relates to an individual’s physical or mental

health or the provision of or payment for health care

• Identifies the individual

TYPES OF PHI

• Billing Information• Medical Insurance Forms• Prescriptions• Patient Charts/Records (Paper or Electronic)

WHAT DOES HIPAA APPLY TO?

• Forms• Spoken Communication• E-mails• Faxes

PROTECTING PHI WITH HIPAA MEANS:

• Removal of certain identifiers so that the individual who is subject of the PHI may no longer be identified

• Application of statistical method or • Stripping of listed identifiers such as:

• Names • Geographic subdivisions < state • All elements of dates • SSNs

• Not discussing PHI with anyone, other than those directly responsible for providing health care (provider, clinician, technician, etc.)

PATIENT’S RIGHTS

• Patients have the right to obtain and amend their PHI to:

Request restrictions on uses and disclosures,Request more confidential communications,Receive an accounting of disclosures,Complain about privacy violations

• Use and disclosure of PHI:Patients have the right to know how their PHI

Patients are entitled to know how their PHI will be used and who will receive their PHI.

• Patients have a right to see privacy disclosures regarding their PHI

SPECIAL RULES OF HIPAA

• Special rules for certain types of entities:• Some Covered Entities have additional privacy

regulations covering areas like directories, marketing and fund raising.

• Administrative requirements of Covered Entities may keep details record-keeping and procedural compliance issues.

ENFORCEMENT OF HIPAA

• There are potential penalties and fines for noncompliance.• Penalties start at $100, and can be as strict as $25,000

per year

• If an employee or patient makes a complaint, it will be investigated, and if necessary, subsequent corrective action will follow.

• Covered Entities or programs will have a process to receive and investigate complaints.

ANTI-RETALIATION POLICY

• Retaliation against anyone who may file a complaint is strictly prohibited

• Individuals may file a complaint with either the Covered Entity or the U.S. Department of Health and Human Services.

REASONABLE PHYSICAL AND TECHNOLOGICAL SAFEGUARDS

• Telephones – How do you know the person you are talking to is authorized to receive an employee’s PHI?

• Disposing of PHI – When you dispose of PHI (both hard copy and electronic) how can you be certain that it is appropriately destroyed?

• E-mail – How can you be sure PHI is secure when it’s sent via e-mail?

• Fax machines – When faxing PHI, how can you be sure the right person will read it on the other end?

• Mail – Sending PHI through the mail may have restrictions.• Storing PHI – Safeguarding PHI on computer databases, file

cabinets, even laptop computers will have to follow procedure.

WHAT DOES THIS MEAN TO YOU?

• Do not let anyone use your username and password• Log off of your computer, when you walk away from it, • Do not use anyone else’s username and password• Do not discuss private health information of any patient

outside of the care setting• Do not discuss private health information of any patient

with someone other than a direct care giver• Do not look up any health records, unless it is a patient

under your care and the information is for the purpose of providing patient care

• Do not look up your own private health information