Health Insurance Portability and Accountability Act

1
1
2
Need For HIPAA

• In 2000, many patients who were newly diagnosed
  with depression received free samples of
  anti-depressant medications in their mail. This
  left patients wondering how the pharmaceutical
  companies were notified of their disease. After a
  long and thorough investigation, the Physician,
  the Pharmaceutical company and a well-known
  pharmacy chain were all indicted on breach of
  confidentiality charges.
• This is one of the many reasons the Federal
  Government needed to step in and create
  guidelines to protect patient privacy.
• HIPAA is Health Insurance Portability And
  Accountability Act

2
3
HIPAA

• Establishes a Federal floor of safeguards to
  protect the confidentiality of medical
  information.
• Allows patients to make informed choices when
  seeking care and reimbursement for care based on
  how personal health information may be used.
• Purpose To protect Protected Health Information
  PHI
• Effective from April 14, 2003.
• It is the Standard for security of data systems.
• It is privacy protection for individual health
  information.

3
4
What Is PHI?

• The health information which identifies the
  individual
• Includes information about past, present and
  future health, mental health of an individual
• Stored, used or disclosed information by covered
  entities or business associates.
• This includes electronic data, paper documents,
  oral or written conversations, films and
  microfiche.

4
5
Patient Identifier

• Names
• Address (street, city, county or zip code)
• Telephone numbers
• Fax numbers
• Social Security numbers
• All elements of dates (except for years)
• E-mail address
• Health plan beneficiary numbers
• Medical record numbers
• Account numbers

• Health plan beneficiary numbers
• Medical record numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• URLs
• IP address numbers
• Biometric Identifiers
• Full face photographs
• Any other unique identifying number or
  characteristic

5
6
6
7
Covered Entities

• Defined in the HIPAA rules as (1) health plans
  (2) Health care clearinghouses and (3) Health
  care providers who electronically transmit any
  health information in connection with
  transactions for which HHS has adopted standards.
• For example, hospitals, academic medical centers,
  physicians, and other health care providers who
  electronically transmit claims transaction
  information directly or through an intermediary
  to a health plan are covered entities.
• Covered entities can be institutions,
  organizations, or persons

8
Entity And Compliance With HIPAA

• Notify patients about their privacy rights and
  how their information can be used.
• Adopt and implement privacy procedures.
• Train employees so they understand the privacy
  procedures.
• Designate a Privacy Officer.
• Secure patient records containing Protected
  Health Information PHI.
• Covered entity provide custom made health care
  notice for individuals privacy rights and
  disclosure of protected health information-Notice
  of Privacy Practice. It covers the patients
  rights, disclosure rules and regulations.

8
9
Business Associates

• A person or entity that performs a function or
  activity on behalf of a Covered Entity CE that
  requires the creation, use or disclosure of
  Protected Health Information PHI but who is not
  considered part of the Covered Entities'
  workforce. They must have a written contract or
  agreement that assures they will appropriately
  safeguard Protected Health Information PHI they
  create or receive.

9
10
Business Associates

• Examples of Business Associates
• A third party administrator who assists a health
  plan with claims processing.
• A CPA firm whose accounting services to a health
  care provider involve access to protected health
  information.
• A health care clearinghouse that translates a
  claim from a non-standard format into a standard
  transaction on behalf of a health care provider
  and forwards the processed transaction to a
  payer.
• An independent medical transcriptionist who
  provides transcription services to a physician.
• A pharmacy benefits manager who manages a health
  plans pharmacist network

10
11
Administrative Safeguards

1. Security Management Process Conduct risk
   analysis on periodic basis, making sure all the
   policies and procedures are followed, sanction
   policy is required, information system activity
   review is necessary for firewall and network and
   for technical infrastructure safeguarding
2. Assigned security responsibilities Appoint
   HIPAA security officer.
3. Workforce security Includes authorization and
   supervision, workforce clearance procedures
   only required access and termination procedures.
4. Information access management by monitoring the
   logins and password management.

11
12
Administrative Safeguards

1. Security awareness training both covered
   entities and business associates should train the
   work forces, security reminders to be sent out.
2. Security Incidence procedures Have in place
   security incidence procedures.
3. Contingency plan evaluation Need data backup,
   data recovery plan, this includes man, machine
   and technology. Also includes emergency mode
   operation plan for business continuity, disaster
   management, for this check for assets, facilities
   and data priority.
4. Business associate contract It is a contract
   between covered entity and business associate
   based on 45CFR for use and disclosure rules of
   the protected health information.

12
13
Physical Safeguards

1. Facility access controls Contingency plan,
   validation procedure, all the doors of the
   organization except the front door should be
   locked, front door should lead to reception area
   where every person is scanned.
2. Workstation uses this safeguards requires
   policies and procedure to protect ePHI on
   workstation level ensuring that they are use
   appropriately.
3. Workstation security Make sure the work station
   does not walk off, eg use of laptops
4. Device and Media Control Any media storing PHI
   at the end of life should be disposed off
   properly using shredding machine, formatting, for
   reusable media- formatting, accountability of
   media and hardware.

13
14
Technical Safeguards

1. Access and audit control user should have unique
   user ID, emergency access, automatic log off and
   password protected screensavers, need encryption
   and decryption, need to generate audit log,
   random audits a required for audit log.
2. Transmission security It prevents users from
   accessing or changing PHI while in transit. Use
   encryption.
3. Integrity Making sure that the data is correct
   and accurate.
4. Person or entity authentication If 3rd party
   requires to access the systems for PHI, they
   should be authenticated first.

14
15

• Thank You

Contact Us- ITCube BPO Solution, Email-
info_at_itcubebpo.com Phone- 1 (614)
434-2376 10999 Reed Hartman Highway, Suite 134,
Cincinnati, Ohio - 45242, USA
www.itcubebpo.com
15