HIPAA training

HIPAA: Health Insurance Portability and Accountability Act

  • reform health insurance industry

  • neutralize cost of reforms

  • HIPPA administrative simplificiation regulations

  • rules that govern the privacy and security of health information

  • give patients rights to better safeguard sensitive information

related laws carry civil and criminal penalities that can be applied even if you did not know the law existed

what is a HIPPA compliance officer

an individual who is responsible for overseeing HIPPA compliance

the roles of HIPPA privacy officer

  • develop and implement HIPAA privacy policies, train workforce members, and monitor compliance

  • conduct risk assessments, revice HIPAA policies, and provide additonal HIPAA training

  • be the point of contact between the organization and members of the public for HIPAA purposes

  • investigate HIPAA privacy violations, report data breaches, and apply sanctions to workforce members

  • work with business associates and regulatory agencies, and maintain compliance with other privacy laws

  • ultimate responsibility to HIPAA compliance

the roles of a HIPAA security officer

  • develop and implement security policies and procerdues to support compliance with the HIPAA security rule

  • conduct risk assessment to determine the most appropraite security mechanisms and how they should be used

  • develop a security awareness training program in accordance with the general requirements of the HIPAA security rule

  • monitor compliance with the security policies and procedures, and apply sanctions when necessary to workforce members

  • develop backup, contingency, emergency mode, and disaster recovery plans for all systems that maintain health information

communicating with HIPAA privacy and security officers

  • approachable individuals who aim to enhance the organizations compliance culture

  • workforce members and healthcare are encourages to ask questions, raise concerns, and report incidents

  • can help explain the rationale behind why tasks are performed in a specific way

  • alert an officer to a potential violation at the earliest possible opportunity

definitions and lexicons

HIPAA covered entity:

  • qualifying helath plan, health care clearinghouse, or healthcare provider; to qualitfy, must conduct electronic healthcare standards (transactions done electronically, so like insurance payments that are done electronically…)… most hospitals, pharmacies, and health clinics

business associate agreement (BAA):

  • contract between a HIPAA covered entity and a business associate on how a business associate can use or disclose protected health information which must be in place before PHI is disclosed

protected health information:

  • information relating to an individual’s health, treatment, or payment that can be used to identify the person; identifying that is maintained separately from PHI and is not protected by HIPAA

electronic protected health information

  • subset of PHI

  • accessed remotely and a wider attack surface

  • additonal safeguards when data is electronic

healthcare operations

  • administrative functions conducted by a HIPAA covered entity or business associate

  • quality assessments, competence reviews, and grievance resolution

  • disclosures of the minimum necessary PHI are permitted for healthcare operations

HIPAA minimum necessary standard

  • limits how much PHI can be used or disclosed for certain procedures

  • does not apply to requires uses and disclosures to the subject of the information or the HSS’ office for civil rights

HIPAA administraitve simplification regulations

  • regulations adopted to comply with the HIPAA act

  • the HIPAA regulations thaqt affect staff roles are in the HIPAA privacy, security, and breach notication rules

  • the HIPAA enforcement rule defines the procedures for compliance investigations by HHS’ office for civil rights

HIPAA rules

  • four subparts of the HIPAA administrative simplication regulations are commonly referred to as the HIPAA rules

  • HIPAA privacy rule, the HIPAA security rule, the breach notification rule, and the HIPAA enforcement rule

  • the remainder of the regulations consist of general requirements and the administrative requirements for healthcare transactions

HHS’ office for civil rights

  • an agency within the US department of health and human services

  • responsible for enforcing parts 160 and 164 of the HIPAA administrative simplifications regulations

  • HIPAA privacy rule, the HIPAA security rule, and the HIPAA breach notification rule

workforce HIPAA sanctions

  • internal disciplinary measures for violations of HIPAA standards and security policies

  • nature of the sanctions depends on the motive and impact of the violation, and whether the violation was a repeat offense

  • minor violations will most often result in a warning and additional training.. more serious violations carry harsher penalties

section 1177 of the social security act

  • covers the wrongful disclosures of individually identifiable health information

  • applies criminal penalties to workforce members who obtain health information for unlawful purposes

  • workforce members who help others obtain health information for unlawful purposes can also be charged with criminal offense

confidentiality, integrity, and availability in HIPAA

  • confidentiality relates to the privacy and security of PHI in any format

  • integrity relates to ensuring PHI is not altered to destroyted impermissibly

  • availability relates to ensuring PHI is always available for permitted used and disclosures

what is HIPAA consent and authorization

  • HIPAA privacy rule permits uses and disclosures of PHI for non-routine cases

  • the use or disclosure of PHI must be supported by a patients conset or authorization

  • consent can be informal and provided orallly, but patient authorization involves a formal, written process

HIPAA notice of privacy practices (NPP)

  • how an organization can use or disclose an idnividual’s PHI

  • explains individual’s rights under HIPAA and how individuals can exercise their rights

  • not all HIPAA notices of privacy practices are the same, but organizations must adhere to the content

the main HIPAA regulatory rules

the HIPAA privacy rule

  • defines what health information is protected and when protected health information can generally be used or disclosed

  • stipulates what conditions must be fulfilled for other circumstances in which PHI is used or disclosed

  • the minimum necessary standard limits how much PHI can be disclosed to achieve the purpose of the disclosure

  • patients have the right to access their health information, request corrections, and obtain a report of when it has been disclosed to third parties

  • pateints also have the right to request privacy protections and confidential communications and to complain if they are being prevented from exercising their rights

the HIPAA security rule

  • contains safeguards designed to protect the security of electronic protected health information

  • must develop policies and procedures to support complaince

  • workforce members and students must be trained on compliant use of devices and systems with access to health information

  • workforce members must not use any other software or devices than those sanctioned by the IT dept

  • failure to comply can result in disciplinary action

HIPAA breach notification rule

  • a breach is any impermissible acquisition, use, or disclosure of PHI in any format

  • if a breach is suspected, a risk assessment will determine whether it qualifies as a notifiable event

  • if a breach is confirmed as notifiable, affected individuals must be notified without unreasonable delay

  • regulatory agencies must also be notified, as may the media and law enforcement depending on the circumstances

  • to give affected individuals the best opportunity to protect themselves from fraud and theft, all known or suspected breaches must be escalated as quickly as possible