| Security Officer In addition to the HIPAA Privacy Official, each covered entity must have a HIPAA Security Official. These may or may not be the same person. You should know the name and contact information for your facilities' Privacy and Security Officials. | View Page |
| What is the HIPAA Security Regulation? The HIPAA Security Regulation:
Defines how to protect electronic health information.
Went into effect April 20,2005 | View Page |
| Case Study: Physical SafeguardsYou are a supervisor of a health clinic. During orientation of a new employee, you instruct him to keep the door leading from a patient area to a computer work area locked at all times. On several occasions, he forgets to make sure the door is locked as he leaves. Which of the following are true regarding this situation? | View Page |
| What is Electronic PHI (ePHI)? Electronic PHI includes all PHI in electronic format, and its use and disclosure is regulated by the HIPAA Security Rules.Examples of ePHI include:All PHI stored in computer systems and electronic storage media, including servers, workstations, laptops, PDAs, diskettes, CDs, tape, and USB drives.Electronic mail (email) messages. | View Page |
| Case Study: Administrative Safeguards You are the technologist in charge of the hematology section in a hospital laboratory, and you are reviewing blood count results for 100 patients as part of an internal quality assurance project. You review the clinical findings in the electronic medical record to correlate with the laboratory results. The following week get a call from your hospital security officer. She says that a routine computer system audit has revealed that you accessed the records of 100 patients and she would like to know why.You tell her: | View Page |
| What is the HIPAA Privacy Regulation: The HIPAA Privacy Regulation went into effect April 14, 2003. It protects the confidentiality of individuals' health data by:Regulating how Protected Health Information (PHI) is used,
whom it is disclosed to, and
how and where it is maintained.
The HIPAA Privacy Regulation:Requires reasonable security measures to protect individuals' health information.
Establishes accountability for use and release of this information.
Gives individuals rights regarding their health information. | View Page |
| What Information is Protected? HIPAA protects ALL information related to an individual's physical or mental health, including demographic and payment information, whether oral, written, or in computer format.
All such information is referred to as Protected Health Information or PHI.
| View Page |
| The HIPAA Privacy Regulation: Limits the use and disclosure of PHI.Establishes individual rights, specifically, the:
Right of Notice: Individuals have the right to know why PHI is being collected, and to whom it may be disclosed.Right of Access: Individuals may access their own PHI upon request.Right to Accounting of Disclosures: Individuals have a right to know to whom PHI was disclosed. Right to Amend: Individuals may request a change to their PHI.Right to Request Restrictions: Individuals may request that PHI be withheld from specific parties.Establishes administrative requirements.Provides for ways to report violations, including whistleblower provisions, and how to file complaints. | View Page |
| HIPAA Provides for the Following Rights: Right of notice: Individuals have the right to know the uses for which their PHI is being collected, and to whom it may be disclosed.Right of access: Individuals may access their own PHI upon request.Right to accounting of disclosures: Individuals have a right to an accounting of disclosures of their PHI. Right to amend: Individuals may request a change to their PHI.Right to request restrictions: Individuals may request that all or part of their PHI be withheld from specific parties.Individuals may have additional rights under state law. | View Page |
| Administrative Requirements include the following: Every covered entity must designate a Privacy Official (Officer). You should know who your privacy official is and how to contact himAll staff must participate in HIPAA training.Safeguards must be in place to protect PHI. There must be a process to handle complaints from individuals about the way their PHI is handled.There must be a procedure to discipline employees who do not comply with privacy policies. | View Page |
| Case Study: Minimum Necessary Use & Disclosure
You are a phlebotomist at a specimen collection center. A patient arrives with an order for a blood glucose test, and a lipid profile. You get the patient's address, phone number, health insurance coverage, and ask how long ago he ate his most recent meal. You then ask him about his recent auto accident, his wound infection, and his family. You write down all the extra information. Under the HIPAA Privacy Regulations, which of the following information requests is acceptable? | View Page |
| Case Study: Limiting Use & Disclosure of PHI
You are the customer service representative in a clinical laboratory. You get a call from someone at a local gastroenterologist's office, with whom you are personally familiar, requesting that you fax results on a patient, which the referring physician's office had failed to provide. The doctor needs the test results immediately. Under the HIPAA Privacy Regulations the you can comply with this request, without getting written authorization from the patient. | View Page |
| Case Study: Incidental disclosures and safeguards.
As a manager, you guided a group of high school students through your clinical laboratory during a field trip. You did not explain the laboratory's privacy policy to the teacher and students, because you thought they would have little access to PHI. However during the tour, the students overheard names of patients and blood tests, saw laboratory reports laying on desks, and viewed test results on computer screens. This is acceptable under the HIPAA Privacy Regulation since these were incidental disclosures that could not reasonably be prevented. | View Page |
| Case Study: Accessing PHI: You are answering the office phone today. A person claiming to be a patient, whose voice you do not recognize, calls demanding all his test results for the past 6 months. He threatens to complain to the government if you won't immediately read him the results over the phone.
Under the HIPAA Privacy Regulations, you must immediately give the patient the requested information over the phone, regardless of your office policy as it pertains to release of patient results. | View Page |
| Case Study: Business Associate
Your hospital hired a consulting firm to help review and update its HIPAA privacy program. The firm has submitted a proposal that will require limited access to records containing PHI. The hospital must have a business associate agreement in place before the consultants begin working. | View Page |
| Follow your own Facilities' Policies and Procedures. This course has covered basic aspects of HIPAA Privacy and Security Regulations that you need to know.
Your facility has its own detailed policies and procedures to enforce these regulations in your workplace, and it is your responsibility to follow these policies and procedures. | View Page |
| Relevant Components of HIPAA The remainder of this course will cover what you need to know about the: HIPAA Privacy Regulation, and HIPAA Security Regulation.You will, of course, also need to understand and follow your own institution's privacy and security policies and procedures. | View Page |
| Privacy is Your Responsibility.
As a health care worker, you are required by HIPAA to protect the privacy and security of the personal health information to which you have access. | View Page |
| HIPAA Enforcement The penalties for HIPAA violations are substantial:
Fines could range from $100 to $250,000.
Knowingly and wrongfully receiving or disclosing protected health information could also result in a maximum 10 year prison sentence.
| View Page |
| Which of the following entities are covered by HIPAA? | View Page |
| Importance of Privacy - An Example You will have many opportunities to avoid disclosing protected health information. Here is one simple example: Your best friend asks you to look up her mother's laboratory results. Knowing the HIPAA privacy regulation and your own departmental policies and procedures, you do not disclose the protected health information which she is requesting. You politely tell your friend that your are not allowed to give her the laboratory results. | View Page |
| What is HIPAA? HIPAA is a federal law passed by Congress in 1996 to help protect the privacy and security of health information.
It is short for Health Insurance Portability and Accountability Act. | View Page |
| Who does HIPAA apply to? HIPAA applies to:
Health Plans (such as health insurance companies)
Healthcare Clearinghouses (such as billing companies), and
Healthcare Providers (including doctors, hospitals, laboratories, and pharmacies).
HIPAA refers to these 3 groups as covered entities. | View Page |