HIPAA

AN OVERVIEW OF HIPAA

The HIPAA PRIVACY RULES

What is the HIPAA Privacy Rule?

“The HIPAA Privacy Rule establishes National standards to protect an individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections”Definition provided by the US Department of Health and Human Services

The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by"covered entities", Business Associates, and third-party service providers who may come into contact with patient healthcare data or payment information. What constitutes PHI is regarded to be any part of an individual’s medical records or payment history. The HIPAA Privacy Rule applies to PHI in any form.This includes computer and paper files, x-rays, medical appointment schedules, medical bills, dictated notes, conversations, and information entered into patient portals.

1. Healthcare providers and other covered entities must safeguard information that reasonably could allow someone to identify an individual receiving care. What is this called?

  • a. Privacy Rule
  • b. Consent Rule
  • c. Disclosure Rule
  • d. Health information Rule

What is PHI?

As mentioned above, PHI stands for Protected Health Information and is defined as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.” 

But what is this information and who does it apply to?

HIPAA regulations list eighteen different personal identifiers which, when linked together in any combination, are classed as Protected Health Information. These eighteen personal identifiers are:

  1. Names 
  2. All geographical data smaller than a state 
  3. Dates (other than year) directly related to an individual 
  4. Telephone numbers 
  5. Fax numbers
  6. E-Mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plates
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet protocol (IP) addresses
  16. Biometric identifiers (i.e. retinal scan, fingerprints, Etc.)
  17. Full face photos and comparable images
  18. Any unique identifying number, characteristic or code

5. What are the following examples of: Name, social security number, demographic data to include address, phone number, and date of birth?

  • Relevant information
  • Protected Health Information
  • Personnel Information
  • Identity Information

Who Has a Responsibility to Protect PHI?

Those with a responsibility to protect PHI and comply with the HIPAA Privacy Rule fall into three main categories: 

  • Covered Entities 
  • Business Associates 
  • Subcontractors

Continuum Pediatric Nursing is considered a Covered Entity, and as an employee you too are responsible to protect PHI.

Use and Disclosure of PHI?

The HIPAA Privacy Rule limits how PHI can be used and disclosed to protect patient healthcare and payment information while attempting to avoid the creation of unnecessary barriers to delivering healthcare services. As such, a Covered Entity is prohibited from using or disclosing PHI unless authorized by the patient, except where this prohibition would interfere with delivery of quality healthcare or with certain other important public benefits or national priorities.

The full criteria for what constitutes use or disclosure is outline in the HIPAA Privacy Rule §45 CFR164.501 and on wards.

The HIPAA Security Rule?

  • What is the HIPAA Security Rule?
  • What is the Difference between PHI and ePHI? 
    • Safeguards 
    • Workstations  
    • Workstation Security 
  • e-Mail Security 
  • Text Messaging

What is the HIPAA Security Rule?

“The HIPAA Security Rule establishes national standards to protect an individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality,integrity and security of electronic Protected Health Information

”.Definition provided by the US Department of Health and Human Services

Where the HIPAA Privacy Rule deals with the integrity of PHI in general, the HIPAA Security Rule deals with electronic Protected Health Information (ePHI) and is a response the increasing use of mobile devices in the workplace.

What is the Difference between PHI and ePHI?

While PHI relates to ALL Protected Health Information regardless of its format, electronic PHI (ePHI) is defined as all PHI that is stored, transmitted or used electronically.

Safeguards

WORKSTATIONS

In the eyes of the Department of Health and Human Services, a workstation is any electronic device that can be used to access ePHI. This includes desktop PCs, laptops, tablets, and mobile devices. This definition is not restricted to work issued devices, but includes any device you use to access ePHI, even personal cell phones.

WORKSTATION SECURITY

All work stations must have appropriate security in place in order to prevent unauthorized access to  ePHI. Typically, this includes: Unique Usernames and Passwords PIN or Security Codes Automatic log out after a predetermined period of in activity As above this applies to all devices used to access ePHI regardless of who owns the device.

Use of unsecured devices by any employee is strictly forbidden.

4. Cell Phones that are used to transmit PHI should always be password protected.

  • a. True
  • b. False

3. Patient information should be stored on unencrypted USB devices.

  • a. True
  • b. False

e-Mail Security

All e-Mails containing ePHI (Including any attachments) must be sent via an encrypted e-Mail channel. Continuum uses an Office 365 solution which ensures that not only is the original messages encrypted, but any replies are encrypted as well.

2. All emails and text messages containing Protected Health Information should be sent via secure encryption.

  • a. True
  • b. False

Text Messaging

Unless sent via an encrypted SMS system, text messaging is prohibited as it fails to meet HIPAA compliance.

How do I know if I am responding to a secure e-Mail?

Continuum uses a secure e-Mail system from Microsoft’s Office 365 Platform.Any secure e-Mail you receive from Continuum will have “<secure>” as the first part of the Subject Line.The body of the e-Mail will look similar to this:

You've received an encrypted message from [email protected] 

To view your message 

  • Save and open the attachment (message.html), and follow the instructions.
  • Sign in using the following e-Mail address: [email protected]

This e-Mail message and its attachments are for the sole use of the intended recipient or recipients and may contain confidential information. If you have received this e-Mail in error, please notify the sender and delete this message. 

Message encryption by Microsoft Office 365  

To open this e-Mail you will need to save and open the attached “message.html” file and follow the instructions. The procedure varies based on device (computer, tablet, iPhone, Android) so it is important to read all the instructions. Many mobile devices will not support opening encrypted e-Mails without specific applications being installed first. For this reason, Continuum recommends that you open secure e-Mails from a PC or laptop.

To respond to a secure e-Mail, once opened, reply as you normally would. Do NOT start a new unsecure e-Mail