1. HIPAA COMPLIANCE How you can
do your part

2. LECTURE OVERVIEW
 Basic HIPAA information............................... Slides 3-7
 Training Scenarios....................................... Slides
8-18
 Conclusion ................................................. Slide
19-20
 References ................................................ Slide 21

3. WHAT IS HIPAA
 Health Insurance Portability and Accountability Act
 Established in 1996
 2 Main parts: Privacy and Security
 Privacy Basics
 Standards developed to “address the use and disclosure of
individual’s health information or Protected Health information
(PHI)” (3)

4. WHO MUST COMPLY WITH HIPAA
ALL employees of the organization must follow HIPAA
Privacy Rules
Figure 1

5. WHAT TO SAFEGUARD: PROTECTED
HEALTH INFORMATION
 Basic Definition: identifiable health related information
about an individual
 3 elements of PHI(1):
 Individual is identified
 Health conditions or related information (e.g. Legal
proceedings)
 Information is held by a Covered Entity (CE)

6. HOW TO COMPLY WITH HIPAA
 US Dept of Health and Human Services states the Privacy
Rule’s “Basic Principle”: (3)
 “ ...purpose is to define and limit the circumstances in which an
individuals [PHI] is used or disclosed by [CEs]…”
 2 ways use and disclosure can be done:
 Permitted Uses
 To the individual
 Treatment, Payment, Operations (TPO)
 12 public interest and benefit situations
 Individual agreement/objection of additional uses and disclosures
 Incidental Uses or disclosures
 Limited Data set
 Authorized Uses
Please visit the website for additional information:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
***Contact the Privacy Officer with any questions or concerns***

7. MINIMUM NECESSARY
 Definition: A Privacy rule requirement that restricts
access to PHI to those who need the information to
complete the task it was meant for (1).
 Information obtained is limited to the minimum necessary to
complete the task.
 Be familiar with your specific department’s policies and
procedures as well as the organization’s.

8. RELEASE OF PHI GUIDELINES
 Ensure information:
 is being released to an authorized person
 fits the minimum necessary standard to complete the task
 has a valid date
 is available to be released
 Written authorization
 Oral authorization
 Or qualifies under authorized exceptions
 request has been documented
Use professional judgment:
Make sure the information being requested will not cause:
- individual harm
- relationship damage between individual and
organization

9. PART II: TRAINING SCENARIOS
 We will now discuss 4 different scenarios:
 Identify the problem
 Discussion
 Implement the solution

10. SCENARIO 1
Situation:
You have an electronic health record. When an error is
made in the record, it is the policy of the facility to allow
the person who has made the error, to totally delete it
from the system
The Problem: This breaks 3 Elements
 Integrity- record is accurate and complete
 Authenticity- record is authentic
 Non-Repudiation- record is undeniable
 Brodnik states the goal of the Security Rule is to “...protect
ePHI from unauthorized access, alteration, deletion and
transmission.” (1)

11. SCENARIO 1 SOLUTION
 General rules when dealing with an electronic health
record:
 Records should never be deleted
 When revision is required: The individual making the
correction needs to
 identify the incorrect data
 flag it
 provide a link
 Refer to Our Organization’s procedures and policies, in the
rare instance a deletion would need to be made or contact the
Privacy Officer

12. SCENARIO 1 SOLUTION
 Access Control List has been established
 Establishment of access controls to categorize which roles have
the authorization to delete records.
 Parameters have been put in place by categories organized by
roles and groups.
 Access rights have been implemented to identify the user and
certify that the user has the rights to complete the request.
If you do not have sufficient authorization rights for the task at hand please discuss how to
proceed with your supervisor or the HIM manager

13. SCENARIO 2
Situation:
Patients are allowed to amend the health record directly
into the electronic health record with no supervision of
staff
The Problem: Patient’s have the ability to change their
health records affecting:
 Integrity
 Authenticity
 Non-repudiation

14. SCENARIO 2 SOLUTION
 In compliance with HIPAA regulations, individuals must
have the right to request amendments to their records.
 Patient Amendment Process:
 Patient must complete an official request
 Written form
 Reason for amendment
 HIM department will process the request and contact the
patient

15. SCENARIO 3
Situation:
When a visitor is on a nurses station, the screens to the
computers are visible and readable by the visitor leaving
a patient PHI totally available to the public
The Problem: Adequate measures are not being taken to
secure patient records privacy.

16. SCENARIO 3 SOLUTION
 Workstation Use and Security Policies have been updated
to include the following requirements:
 Workstation locations must be in monitored areas
 Workstation screens need to be adjusted away from public
view
 Use of applicable screen devices such as protectors to block
peripheral views recommended
 Auto-time outs have been enabled on all workstations
 Password re-entry is required
 Security training and awareness program completion is
required for all employees who use workstations

17. SCENARIO 4
Situation:
When on the elevator, physicians, nurses, a custodian,
and a patient registrar, discussed patients by name,
health care problem, and in one case, an ongoing
litigation case about a malpractice suit.
The Problem: Breaches have occurred and Organizational
and Individual level
 Employees have failed to protect the privacy of PHI
 The minimum necessary standard has been violated

18. SCENARIO 4 SOLUTION
 Employee Awareness Standards
 Employees abide by Minimum Necessary Rule and HIPAA
Privacy rule

19. PENALTIES FOR NONCOMPLIANCE
 It is important to note that there are penalties for non
compliance
 Civil Penalties: range from $100/ violation to $25,000 max per
calendar year
 Criminal Penalties: range from $50,000 fine and 1 year
imprisonment to $250,000 fine and 10 years imprisonment

20. THINKS TO REMEMBER
 Closing thoughts:
 We must uphold the responsibility of ensuring patient
information (PHI) is protected and that patients know their
rights.
 We must respect individuals, workforce members and the
organization to act respectfully, and in accordance to
standards
20

21. REFERENCES
REFERENCES
1) Brodnik, MS, McCain, MC, Rinehart-Thompson, LA, Reynolds, RB. Fundamentals of Law for Health
Informatics and Info Mgmt. Chicago: AHIMA Press, 2008. p. 134, 140, 159, 176, 179, 182, 214-5, 217, 222.
2) Hughes, G. Laws and regulations governing the disclosure of health information (updated). AHIMA 2002 Nov [ cited
2012 May 21]; Available from: URL: http://library.ahima.org/xpedio/groups/public/documents/ahima/
bok1_016464.hcsp?dDocName=bok1_016464
3) The HIPAA privacy rule’s right of access and health information technology. Available from: URL: http://www.hhs.gov/
ocr/privacy/hipaa/understanding/special/.../eaccess.pdf
4) The five Ws of HIPAA. Available from: URL: som.ucsd.edu/webfm_send/4665
5) Health and Human Services Website. Available from: URL:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
6) Wiedemann LA, Hjort B. HIPAA Privacy and Security Training (Updated). AHIMA 2010 Nov [cited 2012 May 20];
[1 screen]. Available from: URL:
http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048509.hcsp?dDocName=bok1_048509
Fiigure 1: University of Southern Alabama [Online Image] Available at: http://www.southalabama.edu/healthprofessions/
21