Introduction to HIPAA Flashcards
A general introduction and overview of the federal HIPAA regulations
<b> HIPAA </b> stands for
<b>H</b>ealth <b>I</b>nsurance <b>P</b>ortability and <b>A</b>ccountability <b>A</b>ct
HIPAA’s intent is to…
…reform the healthcare industry by reducing costs, simplifying administrative processes and burdens, and improving the privacy and security of individuals’ health information.
<b>PHI</b> stands for
<b>P</b>rotected <b>H</b>ealth <b>I</b>nformation (<b>PHI</b>)
<b>PHI</b> definition
<b>PHI</b> is any identifiable health information relating to the past, present, or future health condition of the individual regardless of the form in which it is maintained (electronic, paper, oral format, etc).
<b>ePHI</b>
<i>Electronic</i> Protected Health Information, a subset of PHI
The two organization types that are regulated under HIPAA:
<ol>
<li>Covered Entities</li>
<li>Business Associates</li>
</ol>
Covered Entities definition
the source of of PHI; generate it. they have a direct relationship with individuals with PHI.
Covered Entities are ___ and required to be ____.
<i>directly regulated</i>, <i>HIPAA compliant (protecting PHI)</i>
Healthcare Clearinghouses are…
…covered entities that process nonstandard health information they receive from another entity into a standard format, or vice versa.
Business Associates are ____ and required to be ____.
<i>directly regulated</i>, <i>HIPAA compliant (protecting PHI)</i>
Business Associates definition
All third party vendors and business partners that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or another business associate.
Chain of Trust
formed by business associate contracts, where a covered entity shares PHI with contracted business associates, with 1 contract per link.
Business Associate contract
legal HIPAA document where the Business Associate legally attests to being HIPAA compliant, to either the Covered Entity or another Business Associate.
This enables sharing PHI from the attestee to the attester, wherein the attester becomes legally liable to fines and penalties.
Two main parts of HIPAA
<ol>
<li>HIPAA privacy</li>
<li>HIPAA security</li>
</ol>
HIPAA privacy
protections for PHI from a people standpoint
HIPAA security
protections for EPHI; minimum tech standards and protections
scenario: Dr. J hired an answering service, and later during an audit discovered the service was not HIPAA compliant.
q: what do differently?
Dr. J confirm answering service HIPAA compliant upfront, with some due diligence actions.
scenario: Dr. J signs a BA contract with a HIPAA compliant service. This service uses an IT company.
Q: What service do to work with IT company?
Service ensure IT is HIPAA compliant.
Covered Entities types:
Healthcare Providers, Health Plans, Healthcare Clearinghouses.
Healthcare Providers
Physicians, Dentists, Nurses, Clinical Labs, Nursing Homes
Health Plans
health insurance companies, HMOs, Government healthcare programs
Healthcare Clearinghouses
entities that process nonstandard health information from another entity into a standard, or vice versa.
HIPAA timeline
<ol>
<li>1996: HIPAA signed into law</li>
<li>2003: Covered Entities required to comply with Privacy Rule</li>
<li>2005: Covered Entities required to comply with Security Rule</li>
<li>2006: Enforcement begins</li>
<li>2009: ARRA and HITECH signed into law. Business Associates and subcontractors now required to comply</li>
<li>2013: Omnibus Rule takes effect. HITECH rolled back into HIPAA along with more detailed guidance</li>
</ol>
ARRA
American Recovery and Reinvestment Act of 2009, superset of HIPAA updates which are HITECH Health Information Technology for Economic and Clinical Health Act (subset of ARRA).
HITECH Act
Health Information Technology for Economic and Clinical Health Act of 2009
expanded
-scope of privacy & security protections available under HIPAA
-enforcement
-penalties
Omnibus rule
made HITECH part of HIPAA in 2013, with more details
HIPAA categories
<ol>
<li>Administrative Simplification, relevant to healthcare providers</li>
<li>Insurance Reform, relevant to insurance providers/payers</li>
</ol>
Administrative Simplification goals
<ul>
<li> - administrative cost (26% of healthcare expenses in 2019)</li>
<li> - vulnerability of Internet-based tech </li>
<li> - fraud & abuse</li>
<li> + efficiency & effectiveness</li>
<li> + privacy </li>
<li> + patient rights</li>
<li> + availability of information for decision</li>
</ul>
Administrative Simplification categories
<ul>
<li>Transactions, Code Sets, and Identifiers - standardize electronic transactions and data requirements for healthcare exchanges </li>
<li> Privacy - safeguards for PHI</li>
<li> Security - safeguards for ePHI </li>
</ul>
HIPAA privacy compliance requires…
<ul> <li>HIPAA privacy officer</li> <li>employee training</li> <li>documents and controls</li> </ul>
HIPAA privacy compliant: HIPAA privacy officer
individual responsible for HIPAA privacy compliance at organization
HIPAA privacy compliant: employee training
all employees who have access to PHI must be given HIPAA awareness training every 2 years
HIPAA privacy compliant: documents and controls
formal documents, controls and policies, and procedures to protect PHI in the org
HIPAA security compliance requires…
<ul> <li>HIPAA security officer</li> <li>employee training</li> <li>HIPAA security risk assessment</li> <li>documents and controls</li> </ul>
non-compliance
<ul>
<li>non-compliance is a civil offense that carries a penalty from $100-$50,000 per violation, with caps of $25,000-$1.5 million for all identical violations of a single requirement in a calendar year</li>
<li>unauthorized disclosure or misuse of PHI under false pretenses or with intent to sell, transfer, or use for personal gain, or malicious harm is a criminal offense punishable by $250,000 in fines, and up to 10 years in prison</li>
<li>civil penalties are enforced by the Office of Civil Rights within the Department of Health and Human Services</li>
</ul>
