HIPAA

HIPAA
Health Insurance Portability and Accountability Act of 1996 is a federal law that was designed to improve the portability and continuity of health insurance coverage
HIPAA Federal Legislation
Established electronic security standards • Protects the privacy of everyone’s medical information • The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Parts 160, 162, and 164, and includes:
• Transactions and Code Set Standards • Identifier Standards • Privacy Rule • Security Rule • Enforcement Rule • Breach Notification Rule
The Privacy Rule
A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well being.
• The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
• The Privacy Rule calls this information “protected health
information (PHI).”
HIPAA Privacy Rules
Health-care organizations must have written policies and
procedures that are consistent with HIPAA regulations.
• They must also have a specific person assigned to ensuring that protected information is kept private and secure.
• This person is responsible for:
• training other employees regarding the guidelines set forth
by HIPAA,
• ensuring that all regulations are followed, and • disciplining employees that do not comply with HIPAA.
What is Protected Health Information?
“Individually identifiable health information” is
information, including demographic data, that relates to:
• the individual’s past, present, or future physical or mental
health or condition;
• the provision of health care to the individual; or • the past, present, or future payment for the provision of
health care to the individual;
• and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
Examples of Protected Health Information
1. Names; • 2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. Phone numbers; • 5. Fax numbers; • 6. Electronic mail addresses; • 7. Social Security numbers; • 8. Medical record numbers; • 9. Health plan beneficiary numbers; • 10. Account numbers; • 11. Certificate/license numbers;
We will write a custom essay sample on
Any topic specifically for you
For only $13.90/page
Order Now
Examples of Protected Health Information 2
12. Vehicle identifiers and serial numbers, including license
plate numbers;
• 13. Device identifiers and serial numbers; • 14. Web Universal Resource Locators (URLs); • 15. Internet Protocol (IP) address numbers; • 16. Biometric identifiers, including finger and voice prints; • 17. Full face photographic images and any comparable
images; and
• 18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Examples of Protected Health Information
Information doctors, nurses, and other health care providers put in a
medical record
• Conversations a doctor has about an individual’s care or treatment
with nurses and others
• Information about an individual in a health insurer’s computer
system
• Billing information about individual at a clinic
•Common identifiers like name, address, Social Security number, and demographic information related to health
• Most other health information about an individual held by those
who must follow the Privacy Rule
Examples of Things Not Protected Health Information
Also note, health information by itself without the 18 identifiers is
not considered to be PHI. Examples:
• a data set of vital signs by themselves • Prescription drug names
• Examples of research health information not subject to HIPAA
include:
• studies that use aggregate data, • diagnostic tests that do not go into the medical record, and • Genetic testing done without the PHI identifiers to search for potential genetic markers, promoter control elements, and other exploratory genetic research
• (In contrast, genetic testing for a known disease that is considered to be part of diagnosis, treatment and health care would be considered to use PHI and therefore subject to HIPAA regulations.)
Responsibilities When Using Protected Health Information
Covered entities and their business associates are required to protect health information in several ways, which includes
• Putting in place administrative, physical, and technical
safeguards.
• Reasonably limiting uses and disclosures to the minimum
necessary to accomplish their intended purpose.
• Limiting who can view and access health information • Implementing training programs for employees about how
to protect health information.
Who Must Follow the Privacy Rule?
The Privacy Rule standards apply to only:
• Health plans; • Health care clearinghouses; • Health care providers who transmit any health information
electronically in connection with certain transactions
• These are called “covered entities” under HIPAA
• See 45 CFR §§ 160.102 and 164.500.
HIPAA Covered Entities: Examples of Health Plans
Any individual or group plan (or combination) that
provides or pays for the cost of medical care
• Health insurance issuers • HMOs • Group Health Plans • Medicare Parts A and B • Medicare + Choice (under Part C) • Medicaid
• See 45 CFR §160.103.
Examples of HIPAA Uncovered Entities
A doctor at a free clinic who does not accept insurance of any kind and thus does not file insurance claims probably does not have to comply with the Privacy Rule.
• This is because the doctor does not appear to send health information for the types of administrative or financial purposes that would make him or her a covered health care provider under the HIPAA Privacy Rule.
Examples of HIPAA Uncovered Entities
Many organizations that have health information about an individual do not have to follow the Privacy Rule. Examples
include:
• life insurers; • employers; • workers’ compensation carriers; • many schools and school districts; • lawyers with client medical records • many state agencies, like child protective service agencies; • many law enforcement agencies; and • many municipal offices.
AAA Must Follow HIPAA
The Texas Department of Aging and Disability Services is
a covered entity.
• The Texas Area Agencies on Aging are not considered
covered entities, but they are business associates of DADS.
• Therefore, the Area Agencies on Aging must comply with
HIPAA.
Who Can See Protected Health Information
The Privacy Rule permits PHI to be used and shared
without consent:
• For treatment and care coordination • To pay doctors and hospitals for your health care and help
run their businesses
• With family, relatives, friends, or others identified as
involved with an individual’s health care
Who Also Can See Protected Health Information
The Privacy Rule allows your information to be used and
shared:
• With doctors to make sure they give good care and nursing
homes to ensure cleanliness and safety
• With those who protect the public’s health and report
when the flu is in your area
• With those required to make reports to the police, such as
those reporting gunshot wounds
HITECH Act
The Health Information Technology for Economic and Clinical
Health Act, abbreviated HITECH Act,