HIPAA: Privacy Information Security
HIPAA imposes new restrictions on the use and disclosure of Personal Health Information (PHI) and gives patients greater access and protection to their medical records.
- Individually Identifiable Health Information (IIHI) relating to the past, present or future health condition of the individual and is transmitted or maintained in any form (electronically, orally or on paper).
- Examples: Name, address, dates of service, date of birth, social security number, etc.
What is Disclosure and Use?
- Use: Shared, examined, applied or analyzed within an entity that holds the information.
- Disclosure: Release, transferred, or made accessible to anyone outside the entity holding the information.
When can PHI be Used/Disclosed?
PHI can be used or disclosed for:
- Treatment, Payment, Healthcare Operations (TPO)
- With authorization from the individual
- Disclosure to the patient
- Incidental uses
When is Authorization Required?
Generally speaking, for uses other than, Treatment, Payment, Hospital Operations
An authorization is a written document, signed by the patient, that specifically allows the covered entity to disclose PHI with patient’s permission.
When is authorization not required?
- To maintain a patient directory
- To inform family members of patient location, general condition, or death
- Public health activities
- Coroners, medical examiners, funeral directors, organ donations
- To avert a serious threat to health and safety
- Make sure the least amount of health information is shared to accomplish the task.
- Identify those who regularly access PHI and the types of PHI necessary for proper TPO of the patient.
- The Patient Notice is a required document that outlines the common uses of PHI.
- Must contain patient's rights and the covered entity's legal duties.
- Must be made available in print.
- Must be displayed at the site of service and posted on a web site.
- Recognizing what types of security issues may arise in the workplace; and
- Knowing what actions to take in the event of a security breach.
- The HIPAA Security Rule requires that everyone in the workforce is trained.
- Members of the workforce include volunteers.
- Always report anything unusual.
- Notify your supervisor if you suspect a security incident.
- Never share your ID or password with anyone.
- Hidden under the keyboard - Keeping a computer password on a yellow post-it note.
- I'll do it my way - Not listening to or following security procedures.
- On, gone, not locked - Walking away from the computer, leaving it unlocked or not turned off.
- Gee, what's in this attachment - Unknown email attachments can cripple by carrying viruses.
- Weak passwords - Passwords based on information easily accessible to others.
- Loose lips - Talking in public about things you shouldn't
- Laptops with legs - Laptops left unsecured and unattended are vulnerable to theft.
- Law enforcement - Managers and supervisors need to ensure ongoing compliance.
- The threat within - Statistically, most security breaches originate inside the organization.
- Update now - Security updates don't do any good unless they are loaded on your computer.
- HIPAA requires that we assign a "Privacy Officer" and "Information Security Officer"
- This person will be responsible for overseeing all privacy policies and procedures.
- This person will be the contact person for receiving complaints.
- Institute a training program for Volunteers.
- Civil penalties from $100 to $25,000
- Criminal penalties up to $250,000 and 10 years in prison