HIPAA

What does HIPAA stand for?

Health Insurance Portability and Accountability Act

What are the two rules of HIPAA?

Privacy Rule and Security Rule

What is the Privacy Rule?

Governs what is protected health information (PHI) across all forms (verbal, paper, electronic) and outlines proper use and disclosure guidelines for covered entities.

What is the Security Rule?

Guidelines for how ePHI should be protected, including administrative, physical, and technical safeguards to protect against data breaches.

Who does HIPAA apply to?

Covered entities: health care providers, health care clearinghouses, health plans

What is PHI?

Protected health information. PHI is protected under HIPAA. PHI is information about a person’s health conditions, health care, and payment that could individually identify them.

What are some examples of PHI identifiers?

Names, address, dates, telephone/fax/email, Social Security number, Medical Record number, Health Plan ID number, Account number, certificate/license number, vehicle identifiers/serial numbers/license plate, device identifiers, web and IP addresses, biometric identifiers, photos

What are some of the patient’s rights under HIPAA?

Patients can request a copy of health records, have corrections added to health info, receive notices and information about how health records are used, request a covered entity to restrict how it uses their health information

What actions must a covered entity take if there’s a breach of PHI?

-Covered entity must notify the people whose info was breached

-Covered entity must notify US Dept. of Health and Human Services’ Office for Civil Rights (OCR)

-Covered entity may have to notify the media

What punishments will be imposed for a breach of PHI?

-Criminal penalties

-Civil money penalties on the covered entity/worker

-Corrective Action Plans

-Referral to the Department of Justice

Who investigates complaints and imposes punishments on covered entities who breach PHI?

Dept. of HHS’ Office for Civil Rights

PHI can be given to a researcher if…

-Patient or Institutional Review Board authorizes it

-There is a limited data set

-The data set is fully de-identified

-For a research proposal

-For research about a decedent (someone dead)

What are the HIPAA ‘rulez’?

Is using or disclosing this information in the patient’s best interest?

Do I need access to this information to do my job?

When leaving the workplace, was my work area secure?

What is the point of the new HIPAA rules?

The new rules protect patients and healthcare providers who seek or provide reproductive health care in jurisdictions where it is illegal.