Introduction to HIPAA

Question 1

<b> HIPAA </b> stands for

Answer 1

<b>H</b>ealth <b>I</b>nsurance <b>P</b>ortability and <b>A</b>ccountability <b>A</b>ct

Question 2

HIPAA’s intent is to…

Answer 2

…reform the healthcare industry by reducing costs, simplifying administrative processes and burdens, and improving the privacy and security of individuals’ health information.

Question 3

<b>PHI</b> stands for

Answer 3

<b>P</b>rotected <b>H</b>ealth <b>I</b>nformation (<b>PHI</b>)

Question 4

<b>PHI</b> definition

Answer 4

<b>PHI</b> is any identifiable health information relating to the past, present, or future health condition of the individual regardless of the form in which it is maintained (electronic, paper, oral format, etc).

Question 5

<b>ePHI</b>

Answer 5

<i>Electronic</i> Protected Health Information, a subset of PHI

Question 6

The two organization types that are regulated under HIPAA:

Answer 6

<ol>
<li>Covered Entities</li>
<li>Business Associates</li>
</ol>

Question 7

Covered Entities definition

Answer 7

the source of of PHI; generate it. they have a direct relationship with individuals with PHI.

Question 8

Covered Entities are ___ and required to be ____.

Answer 8

<i>directly regulated</i>, <i>HIPAA compliant (protecting PHI)</i>

Question 9

Healthcare Clearinghouses are…

Answer 9

…covered entities that process nonstandard health information they receive from another entity into a standard format, or vice versa.

Question 10

Business Associates are ____ and required to be ____.

Answer 10

<i>directly regulated</i>, <i>HIPAA compliant (protecting PHI)</i>

Question 11

Business Associates definition

Answer 11

All third party vendors and business partners that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or another business associate.

Question 12

Chain of Trust

Answer 12

formed by business associate contracts, where a covered entity shares PHI with contracted business associates, with 1 contract per link.

Question 13

Business Associate contract

Answer 13

legal HIPAA document where the Business Associate legally attests to being HIPAA compliant, to either the Covered Entity or another Business Associate.
This enables sharing PHI from the attestee to the attester, wherein the attester becomes legally liable to fines and penalties.

Question 14

Two main parts of HIPAA

Answer 14

<ol>
<li>HIPAA privacy</li>
<li>HIPAA security</li>
</ol>

Question 15

HIPAA privacy

Answer 15

protections for PHI from a people standpoint

Question 16

HIPAA security

Answer 16

protections for EPHI; minimum tech standards and protections

Question 17

scenario: Dr. J hired an answering service, and later during an audit discovered the service was not HIPAA compliant.
q: what do differently?

Answer 17

Dr. J confirm answering service HIPAA compliant upfront, with some due diligence actions.

Question 18

scenario: Dr. J signs a BA contract with a HIPAA compliant service. This service uses an IT company.
Q: What service do to work with IT company?

Answer 18

Service ensure IT is HIPAA compliant.

Question 19

Covered Entities types:

Answer 19

Healthcare Providers, Health Plans, Healthcare Clearinghouses.

Question 20

Healthcare Providers

Answer 20

Physicians, Dentists, Nurses, Clinical Labs, Nursing Homes

Question 21

Health Plans

Answer 21

health insurance companies, HMOs, Government healthcare programs

Question 22

Healthcare Clearinghouses

Answer 22

entities that process nonstandard health information from another entity into a standard, or vice versa.

Question 23

HIPAA timeline

Answer 23

<ol>
<li>1996: HIPAA signed into law</li>
<li>2003: Covered Entities required to comply with Privacy Rule</li>
<li>2005: Covered Entities required to comply with Security Rule</li>
<li>2006: Enforcement begins</li>
<li>2009: ARRA and HITECH signed into law. Business Associates and subcontractors now required to comply</li>
<li>2013: Omnibus Rule takes effect. HITECH rolled back into HIPAA along with more detailed guidance</li>
</ol>

Question 24

ARRA

Answer 24

American Recovery and Reinvestment Act of 2009, superset of HIPAA updates which are HITECH Health Information Technology for Economic and Clinical Health Act (subset of ARRA).

Question 25

HITECH Act

Answer 25

Health Information Technology for Economic and Clinical Health Act of 2009
expanded
-scope of privacy & security protections available under HIPAA
-enforcement
-penalties

Question 26

Omnibus rule

Answer 26

made HITECH part of HIPAA in 2013, with more details

Question 27

HIPAA categories

Answer 27

<ol>
<li>Administrative Simplification, relevant to healthcare providers</li>
<li>Insurance Reform, relevant to insurance providers/payers</li>
</ol>

Question 28

Administrative Simplification goals

Answer 28

<ul>
<li> - administrative cost (26% of healthcare expenses in 2019)</li>
<li> - vulnerability of Internet-based tech </li>
<li> - fraud &amp; abuse</li>
<li> + efficiency &amp; effectiveness</li>
<li> + privacy </li>
<li> + patient rights</li>
<li> + availability of information for decision</li>
</ul>

Question 29

Administrative Simplification categories

Answer 29

<ul>
<li>Transactions, Code Sets, and Identifiers - standardize electronic transactions and data requirements for healthcare exchanges </li>
<li> Privacy - safeguards for PHI</li>
<li> Security - safeguards for ePHI </li>
</ul>

Question 30

HIPAA privacy compliance requires…

Answer 30

<ul>
<li>HIPAA privacy officer</li>
<li>employee training</li>
<li>documents and controls</li>
</ul>

Question 31

HIPAA privacy compliant: HIPAA privacy officer

Answer 31

individual responsible for HIPAA privacy compliance at organization

Question 32

HIPAA privacy compliant: employee training

Answer 32

all employees who have access to PHI must be given HIPAA awareness training every 2 years

Question 33

HIPAA privacy compliant: documents and controls

Answer 33

formal documents, controls and policies, and procedures to protect PHI in the org

Question 34

HIPAA security compliance requires…

Answer 34

<ul>
<li>HIPAA security officer</li>
<li>employee training</li>
<li>HIPAA security risk assessment</li>
<li>documents and controls</li>
</ul>

Question 35

non-compliance

Answer 35

<ul>
<li>non-compliance is a civil offense that carries a penalty from $100-$50,000 per violation, with caps of $25,000-$1.5 million for all identical violations of a single requirement in a calendar year</li>
<li>unauthorized disclosure or misuse of PHI under false pretenses or with intent to sell, transfer, or use for personal gain, or malicious harm is a criminal offense punishable by $250,000 in fines, and up to 10 years in prison</li>
<li>civil penalties are enforced by the Office of Civil Rights within the Department of Health and Human Services</li>
</ul>