Health Insurance Portability and Accountability Act.

Health Insurance Technology for Economic and Clinical Health Act.

Keywords

HIPAA

Health Insurance Portability and Accountability Act.

• Enacted in 1996 to protect privacy and security of patients medical records and Personal Health Information (PHI).

• Importance of HIPAA and HITECH in corporate settings.

  • Protects patients data and privacy.

  • Avoids legal and financial consequences for non-compliance.

Purpose of HIPAA

• Portability and continuity of health insurance and coverage.

• Establish standards for electronic exchange of healthcare transactions.

• Protect privacy and security of patients health information (PHI).

Protection of patients privacy and data security

• Requires consent for use and disclosure of PHI.

• Impose limitations on sharing sensitive information.

• Grant patients rights over their PHI, including access and amendment rights.

Key provision and requirements

• Privacy rule: Establishes standards for use and disclosure of PHI by covered entities.

• Security rule: Mandates safeguards to protect the confidentiality, integrity and availability of electronic PHI.

• Breach notification rule: Requires covered entities to notify affected individuals in the event of data breach.

HITECH

Health Insurance Technology for Economic and Clinical Health Act.

• Passed in 2009 to strengthen HIPAA’s privacy and security provision in digital age.

• Aims to promote the adoption of Electronic Health Records (EHR) and enhance security.

• Enforces penalties for non-compliance for HIPAA.

Expansion of HIPAA’s privacy and security rule

• Extends HIPAA’s requirements to business associates and their subcontractors.

• Increase accountability for covered entities and business associate.

• Enhances individual rights regarding their PHI.

Enhanced enforcement and penalties

• Increased penalties with HIPAA violations with tiered fines based on level of negligence.

• Mandatory audits conducted by Office for Civil Rights (OCR) to assess compliance.

PHI

Protected Health Information

• Includes individually identifiable health information transmitted or maintained in any form.

Examples of PHI

• Patient demographic information: Name, address, date of birth, social security number, phone number, email address.

• Medical records: Medical history, diagnosis, treatment plans, medications, test results, surgical notes.

• Health insurance information: Insurance policy number, coverage details, claim information.

• Billing and payment information: Invoices, receipts, financial records related to healthcare services.

• Conversations and communications about health care: verbal, written and electronic discussions between healthcare providers and patients.

• Any other information that can be used to identify an individual in relation to their health status or healthcare services.

ePHI: Electronic Protected Health Information

Electronic Protected Health Information

• Information that is produced, saved, transferred or received in an electronic or digial form.

Examples of stored location of ePHI

• PHI on personal computers or laptops used at work, at home or traveling.

• PHI stored of CD, DVD, any magnetic or digital storage media.

• PHI on removable storage devices, such as USB sticks, portable and hard drive.

• PHI on PDA or smart phones.

Covered Entities and Business Associates

Covered Entities

• Healthcare Provides

  • Hospitals, Clinic, Doctors, Psychologist, dentists, chiropractors, nursing homes, pharmacies.

• Health Plans

  • Insurance companies, HMOs, US Department of Veterans.

• Healthcare clearing houses is any public or private entity that processes or facilitates healthcare data e.g. billing services, re-pricing companies, community health management.

Examples of Covered Entities in corporate settings.

• Employee Health Plans

• On-Site medical clinic.

• Occupational health services.

Business Associates

• Individual or organizations that handle PHI on behalf of covered entities and may have access to PHI.

Obligations of Business Associates

• Must comply with HIPAA regulations, including security rule and breach notification requirements.

• Business associates agreements establishes the responsibilities and liabilities of covered entities and the business associate.

Example of Business Associate.

• Accounting Firm: CPA firm that provide services and health care providers.

• Legal Services: Attorney that provide services to health plans.

• Utilization Reviews: Consultant that perform reviews for hospitals.

• Transcription Services: Independent medical transcriptionist that provide services to physicians.

HIPAA Privace Rule

• Establishes standards to protect the privacy of individuals PHI held by covered entity.

• Regulates the use and disclosure of PHI and grants individual rights over their health information.

• Individual rights and HIPAA.

  • Right to access and obtain copy of their PHI.

  • Right to request amendments or correction to their PHI.

  • Right to request the restriction on the use or disclosure of PHI.

• Use and disclosure of PHI.

  • Covered entities must obtain patients authorization to use or disclose the PHI, ascept for certain permitted purposes.

  • PHI can be used for treatment, payment, healthcare operations and other specific circumstances outline in privacy rule.

HIPAA Security Rule

• This complements the privacy rule and sets standards for security of ePHI.

• Establishes administrative, technical and physical security safeguards to protect confidentiality, integrity and availability of ePHI.

• Safeguards.

  • Administrative Safeguards: Policies, procedures and documentation to manage the selection, development and implementation of security measures.

  • Physical Safeguards: Policies, procedures and controls to protect the physical environment and equipment containing ePHI from unauthorized access, theft or damage.

  • Technical Safegaurds: Measures to control access to ePHI and protect it during transmission or storage such as encryption and authentication.

HITECH Breach Notification Rule

• HITECH act introduces the breach notification rule to ensure timely notification of individuals affected by breaches of unsecured PHI.

• It requires covered entities to assess the risk of harm and notify affected individuals, the OCR and potentially the media.

Reporting requirements of breaches of PHI

• Covered entities must promptly investigate and determine if a breach of unsecured PHI has occurred.

• If breach is identified, affected individuals must be notified without unreasonable delay.

• Notification must include the description of the breach, steps individuals can take to protect themselves and contact information for further assistance.

Breaches affecting less than 500 individuals

• The covered entities must notify within 60 days after the breach has been discovered.

  • To the affected individuals.

  • To the HHS secretary.

Breaches affecting more than 500 individuals

• The covered entities must notify within 60 days after the breach has been discovered.

  • To the affected individuals.

  • To the HHS secretary.

  • To the prominent media outlets.

Investigation and Mitigation Procedures

• Breaches must be evaluated to determine the cause, extent and potential impact on individuals.

• Appropriate actions to be taken to mitigate harm, prevent future breaches and comply with reporting obligations.

• Responsibilities of Covered Entities and Business Associates.

  • Promptly reporting breaches and cooperating with investigations.

  • They must implement measures to prevent the breaches and ensure security of PHI.

HIPAA Omnibus Rule

• This rule is effective from 2013, is the most recent addition to HIPAA.

• It gives patients more access to their health information, strengthens the protection of protected health information (PHI) and requires providers to follow patient request.

• Also brings business associates of covered entities under HIPAA regulatory framework and directly regulated by US Department of Health and Human Services.

• The Rule modifies the following rule: Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule.

• It extends the protection to PHI:

  • Used for marketing and fundraising purposes.

  • Sold without express patient consent.

  • Shared during treatment or payment for care.

  • Part of student immunization record.

  • Classified as genetic information.

• The rule also:

  • Expands an individuals rights to receive an electronic copy of their PHI.

  • Restricts the disclosure of PHI to health plans when individual pays for treatment in full.

  • Prohibits health plans from using or disclosing genetic information for underwriting purposes.

Tiered Penalty Structure

• Unknowing: $100 - $50,000

• Reasonable cause: $1,000 - $50,000

• Willful Neglect: Corrected: $10,000 - $50,000

• Willful Neglect: Not Corrected: atleast $50,000

Omnibus Rule is designed to ensure HIPAA protection lasts for upto 50 years following death of an individual.

Examples of HIPAA violations

Common violations

• Unauthorized access to the patients records.

• Sending PHI to wrong recipient.

• Discussing PHI in public areas.

• Improper disposal of PHI.

• Failure to encrypt ePHI.

Consequences of Violation

• Financial penalties

• Legal action.

• Loss of patient trust.