HIPAA

1
HIPAA

• Health Insurance Portability and Accountability
  Act of 1996

2
What is HIPAA?

• Health Insurance Portability and Accountability
  Act
• Law passed to ease movement of healthcare data
  between providers
• Places new restrictions/boundaries on disclosure
  of protected health information
• Establishes safeguards that organizations must
  achieve to protect the privacy of PHI

3
Goals of Privacy Standards

• Guarantee patients full access to their medical
  records
• Give patients more control over how their
  personal information is used/disclosed
• Provide an avenue of recourse if their medical
  privacy is compromised

4
Goals of Privacy Standards

• Assure privacy of information, without impeding
  research
• Avoid hindering access to care
• Allow treatment-related conversations
• Assure parents appropriate parental access to
  their childrens medical records

5
Impact of Privacy Standards

• Estimates that compliance with privacy provisions
  would COST 22.5 billion over the first year (AHA
  and BC/BS)
• HHS estimated SAVINGS associated with HIPAA
  transactions would total over 50 billion by 2008
  (Medicare and Medicaid)
• Another study estimated the cost to the HC
  industry approx. 43 billion (Dosher, 2000)

6
What is Protected Health Information (PHI)?

• Identifiable health information includes, but is
  not limited to, any personal medical record that
  was created or held by a covered entity,
  including oral communications and paper records
  that may or may not have existed in electronic
  form
• Related to past, present or future physical or
  mental health or condition of an individual

7
What is Protected Health Information?

• Identifiable data refers to information that has
  any components that could be used to identify the
  subject
• Individuals name, address, phone/fax numbers,
  email address
• Employers name, certificate/license number,
  voice or fingerprint data
• Relatives names, photos, date of birth
• Social Security number, medical record number,
  membership or account numbers
• Other numbers, occupational information

8

• HIPAA affects informationnot just electronic
  records!
• HIPAA protects individually identifiable health
  information and all medical records in any
  formelectronic, paper or verbalwhether or not
  it has ever been transmitted electronically

9
Exceptions

• There are a few areas (within certain guidelines)
  in which covered entities may disclose
  information
• Oversight of the health care system (quality
  assurance activities)
• Public health
• Research (limited to a waiver of authorization
  IRB approval)
• Judicial and administrative hearings

10
Exceptions

• Emergency Circumstances
• Identification of the body of a deceased person
  or the cause of death
• Facility patient directories
• Activities related to national defense and
  security
• Disclosures are limited to a minimum necessary
  for the purpose

11
Incidental Uses and Disclosures Include

• Waiting room sign-in sheets
• patient charts at bedside
• physician conversations with patients in
  semi-private room
• physicians conferring at nurses stations.

12
Under HIPPA, patients have the right to

• Receive Notice of Health Information Practices.
• Authorize use of their data.
• Request access to their data.
• Request an accounting of the uses and disclosures
  of their data.
• Request amendment and corrections to their data.
• Request restrictions on use of data.
• File a complaint.

13

• Why is HIPAA important for students?

14

• The HIPAA rules for privacy and security will
  apply to you when you are assigned as a
  student-worker in most organizations engaged in
  providing health care services, such as
  hospitals, clinics, nursing homes and mental
  health centers

15
Possible Criminal Penalties That Apply to Students

• Wrongfully accessing or disclosing PHI fines up
  to 50,000 and up to 1 year in prison
• Obtaining PHI under false pretenses Fines up to
  100,000 and up to 5 years in prison
• Wrongfully using PHI for a commercial activity
  Fines up to 250,000 and up to 10 years in prison

16
Possible Civil Penalties for the University

• Up to 100 per violation.
• Each name in a data set can be a violation.
• Not to exceed 25,000 per year.
• AND civil monetary damages may be available to
  patients who win state tort claims, such as
  breach of privacy.

17
In Addition

• Students who violate HIPAA rules in their
  assigned location may be removed from their
  academic program

18
What does this mean in practical terms for
students?

• Never discuss information about specific patients
  outside of the workplace
• Do not remove any files, forms or other patient
  information
• Do not include any information about any patient
  from your workplace n any notes, class reports or
  homework that would identify the patients
• Never provide PHI to a company or vendor seeking
  information about patients
• Follow the rules in your workplace regarding
  privacy and use of telephones, computers, faxes
  and e-mails

19
You must comply with security requirements for PHI

• Do not leave printed documents or files where
  unauthorized persons can see them
• Position computer screens so they cannot be seen
  by unauthorized persons
• Do not share your passwords with others
• Report suspected or known breaches of
  confidentiality to the organizations privacy
  officer
• Follow workplace procedures to lock doors and
  files