1. Redox Medical
Center
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and
Security Rules
Roderick Laino
MHA690: Health Care Capstone
Dr. Sherry Grover
June 28, 2012
2. Objectives
๏ What is HIPAA?
๏ What is the Organization’s responsibility? Clinician’s responsibility?
๏ What information should be protected?
๏ What can we do as a team, to protect patient health information?
๏ What is the organization’s policy for violators?
3. What is HIPPA?
๏ The HIPAA Privacy Rule provides federal protections for personal health
information held by covered entities and gives patients an array of rights, with
respect to that information. At the same time, the Privacy Rule is balanced so that it
permits the disclosure of personal health information needed for patient care and
other important purposes. (www.hhs.gov)
๏ The Security Rule specifies a series of administrative, physical, and technical
safeguards for covered entities to use to assure the confidentiality, integrity, and
availability of electronic protected health information. (www.hhs.gov)
4. Who ensures HIPPA compliance
๏ Doctors, nurses, and any allied healthcare workers
๏ Pharmacies
๏ Hospitals, clinics, and nursing homes
๏ Health insurance companies
๏ Health maintenance organizations (HMOs)
๏ Employer group health plans
๏ Certain government programs that pay for health care, such as Medicare and
Medicaid.
๏ The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the
privacy of individually identifiable health information; the HIPAA Security Rule,
which sets national standards for the security of electronic protected health
information; and the confidentiality provisions of the Patient Safety Rule, which
protects identifiable information being used to analyze patient safety events and
improve patient safety. (www.hhs.gov)
๏ Any Healthcare Clearing House. Healthcare Clearing Houses are any private or
public entity that processes or facilitates the processing of nonstandard data
elements of health information into standard data elements (www.cms.gov)
5. How does HIPPA relates to you as a
“Clinician or Organization”
๏ As an organization, it is our corporate social responsibility to ensure that we
protect patient health information.
๏ How do we try to accomplish this? As an organization we can do the following.
๏ By making sure that our website is secure
๏ By educating all of our employees thru annual competency
๏ Having an open door policy for reporting any incident that might be a
HIPPA violation
๏ Have an anonymous 1-800 reporting number that it is available 24/7
๏ Have a non-retaliatory policy for reporting, in the event that it is a false
alarm
๏ Have password protection on any computer
๏ Track all activity by personal log in
6. How does HIPPA relates to you as a
“Clinician or Organization”
๏ As a clinician, how can you make sure that you are protecting patient health
information?
๏ Make sure that you don’t talk out loud about patients, especially in public
areas, like the cafeteria, elevator, bathroom, etc, where anyone can over hear
patient confidential information.
๏ Log off of your computer when unattended
๏ Don’t share your password to anyone
๏ Call IT if you lose or forget your password
๏ All emails that contains PHI will be automatically encrypted for security
๏ Report any and all suspicious activity
7. Responsibility
๏ Any one who has access to patient health information is responsible to ensure that
we comply with the law, for example clinicians, allied healthcare workers, cashiers,
medical records employees, medical assistance, etc.
๏ The Organization as a whole is also responsible that we educate, empower and audit
any reported incidence.
๏ The organization is also responsible that the website, email and any PHI are being
held in a secured site and being protected against hackers and malicious attacks
from inside of the company as well as outside.
8. What information are protected?
๏ Protected Health Information. The Privacy Rule protects all "individually
identifiable health information" held or transmitted by a covered entity or its
business associate, in any form or media, whether electronic, paper, or oral. The
Privacy Rule calls this information "protected health information (PHI)
๏ “Individually identifiable health information” is information, including
demographic data, that relates to:
๏ An individual’s past, present or future physical or mental health or condition,
๏ The provision of health care to the individual, or
๏ The past, present, or future payment for the provision of health care to the
individual
9. What information are protected?
๏ Anything that identifies the individual or for which there is a reasonable basis to
believe can be used to identify the individual. Individually identifiable health
information includes many common identifiers (e.g., name, address, birth date,
Social Security Number).
๏ The Privacy Rule excludes from protected health information, employment records
that a covered entity maintains in its capacity as an employer and education and/or
certain other records subject to, or defined in, the Family Educational Rights and
Privacy Act, 20 U.S.C. §1232g. (U.S. Department of Health & Human Services,
2003, pp.3-4)
10. How to ensure that we don’t violate
HIPPA?
๏ The organization has done everything it can in order to be compliant.
๏ We have policies and procedures in place
๏ Pamphlets and brochure to educate patients their rights as well as all the
employees
๏ We have annual training as part of annual competency
๏ HIPPA information is available 24/7 in the intranet
๏ We have a compliance officer for any concerns
๏ Every employee have their own password and restricted access to PHI,
๏ All computers and instrument that carries PHI activities are tracked 24/7
11. How to ensure that we don’t violate
HIPPA?
๏ The organization has done everything it can in order to be compliant.
๏ We have 800 # available for reporting 24/7
๏ We have a non-retaliatory policy
๏ Anonymous reporting is also available
๏ HIPPA consent form is mandatory for any PHI to be release to a third party
๏ Automatic log out and save of computer that are idle
12. Zero tolerance to violators
๏ The company takes the HIPPA Act seriously. All practitioners are only to access
the PHI of a patient that they have direct contact with. We have a computer alert
for all practitioners and they must acknowledge that they are in direct contact with
that patient before access is granted. Violations of the HIPPA rules are grounds for
termination.
๏ The organization wants to express the seriousness of this issue. We want to make
sure that we communicate to you our expectation and we wish that you’ll do the
same.
13. Discussion 2-Wk1
Hipaa presentation
๏ References:
U.S. Department of Health & Human Services. (2003). OCR privacy brief:
Summary of the HIPAA privacy rule.
Center for Medicare and Medicaid Services. (2009). HIPPA compliance review
analysis and summary of results