HIPPA

OBJECTIVES :
●
Purpose of Hippa Legislation.
●
Changes implemented to HIPAA by
Omnibus Final Rule.
●
Key elements of The Privacy Rule,
Security Rule,& Enforcement Rule
Breach Notification.
●
Unique Identifiers, Transaction & Code
Set Rules
●
How to apply the above mentioned
rules to daily practice in a medical
office setting .
 Q.What is HIPAA?
HIPAA :

Health Insurance Portability & Accountability

Act of 1996

It is an act to amend Internal Revenue Code of

1986 & continuity of health insurance
coverage in group & individual markets to
combat waste , fraud , and abuse in health
insurance & health care delivery, to
promote the use of medical savings
accounts, to improve access to long term
care services & coverage , to simplify the
administration of health insurance & for
other purposes. Signed into law by
President Bill Clinton on August 21,1996

Numerous additions & modifications over the

last 20+ years

HIPAA was an attempt by Congress to improve

efficiency in healthcare, eliminate wastage,
combat fraud, and ensure that health
information that can be tied to an individual
and would allow them to be identified is
protected and kept private and confidential.

Standard codes and identifiers were created to

make it easier for health information
exchange and healthcare providers, health
insurers, and their business associates were
 Q.What is “Protected Health Information”
To clarify what is considered to be “Protected Health Information”, I have listed below the eighteen “personal
identifiers” that individually – or linked with any other personal identifier – could reveal the identity of an
individual, their medical history or payment history: ( UNIQUE IDENTIFIERS )

1. Names or part of names

2. Any other unique identifying characteristic
3. Geographical identifiers
4. Dates directly related to an individual
5. Phone numbers
6. Fax numbers
7. Email addresses
8. Social Security numbers
9. Medical record numbers
10. Health insurance beneficiary numbers
11. Account numbers
12. Certificate or license numbers
13. Vehicle license plate numbers
14. Device identifiers and serial numbers
15. Web URLs
16. IP addresses
17. Fingerprints, retinal and voice prints
18. Full face or any comparable photographic images
 Unique Identifiers Rule
v
The Employer Identification Number ( EIN )
( employers should have standard numbers that identify them on standard transactions)

v
The National Provider Identifier ( NPI )
(10 digit number that does not carry any other information about the provider, such as their specialty
or the state in which they practice )

v
The National Health Plan Identifier ( NHI )
( Centers for Medicare & Medicaid Services ( CMS ) proposed identifier to identify health plans &
payers. )
 The Five Titles Of HIPAA
●
Title I: HIPAA Health Insurance Reform
●
Title I protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health
plans from denying coverage to individuals with specific diseases and pre-existing conditions, and from
setting lifetime coverage limits.
●
Title II: HIPAA Administrative Simplification
●
Title II directs the U.S. Department of Health and Human Services (HHS) to establish national standards for
processing electronic healthcare transactions. It also requires healthcare organizations to implement secure
electronic access to health data and to remain in compliance with privacy regulations set by HHS.
●
Title III: HIPAA Tax-Related Health Provisions
●
Title III includes tax-related provisions and guidelines for medical care.
●
Title IV: Application and Enforcement of Group Health Plan Requirements
●
Title IV further defines health insurance reform, including provisions for individuals with pre-existing conditions
and those seeking continued coverage.
●
Title V: Revenue Offsets
●
Title V includes provisions on company-owned life insurance and the treatment of those who lose their U.S.
citizenship for income tax purposes.
●
 Who is Covered by HIPAA?
●
Practically all health plans, health care clearinghouses, health care providers and endorsed sponsors of the
Medicare prescription drug discount card are considered to be “HIPAA Covered Entities” under the
Act. Typically, these are entities that come into contact with Protected Health Information on a regular
basis.
●
“Business Associates” are also covered by HIPAA. These are entities who do not create, receive, maintain
or transmit Protected Health Information in their primary occupation, but who provide third party
services and activities for Covered Entities during the course of which they will encounter PHI. Prior
to undertaking a service or activity on behalf of a Covered Entity, a Business Associate must sign a
Business Associate Agreement guaranteeing to ensure the integrity of any PHI to which it has access.
●
HIPAA states employers are not Covered Entities unless the nature of their business falls within the
criteria to be a Covered Entity (i.e. an employing Medical Center would be a Covered Entity).
However, as self-insuring and intermediary employers handle PHI that is protected by the HIPAA
Privacy Rule, they are considered “Virtual Entities” and subject to HIPAA compliance.
 The Implications of HIPAA to Patients
●
The implications of HIPAA to patients are that their healthcare information is treated more sensitively and can be accessed more quickly
by their healthcare providers. Electronically stored health information is now better protected than paper records ever were, and
healthcare organizations that have implemented mechanisms to comply with HIPAA regulations are witnessing an improved
efficiency. This manifests – as far as patients are concerned – as a higher standard of healthcare.

●
How to Explain HIPAA to Patients
●
As health care providers are now required by law to give patients a notice of their Privacy Policy, it will be necessary to explain HIPAA
to patients as they have to sign a copy of the policy to say they have received it. The best way to explain HIPAA to patients is to put
the relevant information in the Privacy Policy, and then give the patients a synopsis of what the policy contains. For example,
explain to the patient:
●
They have the right to request their medical records whenever they like.
●
They have the right to request you amend their medical records when appropriate.
●
They have the right to limit who has access to their personal health information.
●
They have to right to choose how healthcare providers communicate with them.
●
They also have the right to complain about the unauthorized disclosure of their PHI.
●
Unless the patient has suffered a physical or financial harm due to the unauthorized disclosure of their PHI, they will not be able to bring
a civil action against the negligent party. However, Covered Entities and Business Associates who violate HIPAA for personal gain,
false pretenses or other personal gain will have criminal penalties imposed upon them by the Office for Civil Rights that could
result in up to ten years´ imprisonment.
 Permitted Use & Disclosure of PHI

●
PHI may be used or disclosed as needed for treatment, payment or healthcare operations.
●
Treatment – To provide or manage health care,including consultations and referrals from
one provider to another.
●
Payment – For a health plan to receive premiums or determine benefits, for providers to
obtain payment for services.
●
Health Care Operations – Activities such as case management, audits, medical reviews,
business management.
 Permitted Use & Disclosure of PHI

●
PHI may be used or disclosed as needed for treatment, payment or healthcare operations.
●
Treatment – To provide or manage health care,including consultations and referrals from
one provider to another.
●
Payment – For a health plan to receive premiums or determine benefits, for providers to
obtain payment for services.
●
Health Care Operations – Activities such as case management, audits, medical reviews,
business management.
 Disclosure of PHI without the individual's
written authorization
●
To the individual themselves.
●
As required by law.
●
To report abuse or neglect.
●
For public health activities.
●
For organ donation.
●
For worker's compensation.

Authorized Uses and Disclosures Under the Privacy Rule

●
PHI may be used or disclosed for purposes other than allowed under the Privacy Rule if an individual’s written authorization is obtained.
●
Example: When calling a patient with test results, the results can be given to another family member ONLY if a written authorization is obtained.
●
Authorizations to be written in specific terms & in plain language. It must include;
●
What information is disclosed .
●
Who is disclosing the info & who is receiving it.
●
The expiration of the authorization.
●
The right to revoke the authorization.
 Incidental Use & Disclosure Of PHI
●
The Privacy Rule is not intended to keep Health Care Providers from talking to one another or
their patients.
Incidental Disclosure : Minor amounts of patient information may be disclosed to people near
●

where patient care is delivered.

Examples:
1. Avoid speaking about one patient in front of another patient.
2. Avoid having a conversation about a patient in public places like the elevator or cafeteria.
3. Speak in a quiet voice when discussing a patient over phone .
4. Discuss highly confidential PHI in a private room or area if possible.
 Administrative Requirements for Privacy
Rule Compliance
Privacy Policy & Procedures
Office must implement written policies & procedures regarding PHI that are in accord
with the Privacy Rule. They should be reviewed and updated regularly.
Privacy Personnel
A dedicated contact person should be designated for receiving complaints and
addressing any HIPAA – related concerns.
Workforce Training & Management
All workforce members need to be trained on privacy policies. Training should be
documented. Also, penalties for violating privacy policies &procedures should be taught
and enforced.
Mitigation
Steps must be taken to mitigate any harmful effect caused by violation of privacy policies &
disclosure of PHI.
HIPAA Rules Explained
HIPAA Rules Explained
HIPAA Rules Explained
 HIPAA Rules Explained
HIPAA Privacy Rule:

The Privacy Rule dictates how, when and under what circumstances PHI can be disclosed. The Privacy Rule sets limits regarding the use of
patient information when no prior authorization has been given by the patient. Additionally, it mandates patients and their representatives have the
right to obtain a copy of their health records and request necessary changes.

HIPAA Security Rule:

The Security Rule sets the minimum standards to safeguard ePHI. Anybody that can access, create, alter or transfer ePHI or personal identifiers
must follow these standards.

Breach Notification Rule:

The Department of Health and Human Services must be notified if a data breach has been discovered. This must be within 60 days of the breach’s
discovery. The media and those who personal information has been compromised must also be informed if more than five hundred patients are
affected.

Omnibus Rule:

The final HIPAA Omnibus rule enhances a patient’s privacy protections, provides individuals new rights to their personal health information,
and strengthens the government’s ability to enforce the law.

Enforcement Rule:

Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out. Once the level of negligence has been
determined, appropriate fines can be issued.
 HIPAA : DO’s
●
Train all staff on HIPAA compliance and assign different security access levels to individual staff members.
●
Ensure patient files are protected so that unauthorized persons do not have access to files.
●
Store information on secure encrypted devices.
●
Always log off your computers when you leave your desk.
●
Shred any patient records if you need to dispose of them.
●
Update HIPAA documents annually or otherwise necessitated by a change in practice circumstances.
●
Promptly provide medical records should patients request them.
●
Ensure all forms have the proper signatures on them.
●
Only provide the minimum level of necessary information to those with access to patient data.
●
Use a cover sheet when faxing health records.
●
Notify the Health & Human Services department should a breach occur.

●
 HIPAA : DON’TS
●
Text patient information – while we hope our phones will never get lost or stolen, it happens.
●
Email private information unless it is a secure connection.
●
Snoop records when it is not necessary or requested – this includes looking into you and your family’s records!
●
Release information to unauthorized persons.
●
Release information to the wrong patient.
●
Discuss health information of patients in public areas.
●
Leave patient information over an answering machine.
●
Release information of a minor without permission of that parental/guardian.

●
HIPAA Penalty
Tiers