HIPPA

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 5

HIPPA

HIPAA Compliance training needs to understand the importance of protecting PHI Protected Health
Information. PHI is so valuable to cybercriminals, current data breaches current industry fines, the
importance of encrypted email and your responsibilities .
The federal law known as HIPAA stands for the Health Insurance Portability and Accountability Act
of 1996. Standardization and efficiency in health care data. And prevention of discrimination and
fraud. HIPAA protects from unauthorized disclosure of any protected health information that pertains
to the patient. It establishes a national set of security standards for protecting certain health
information that is held or transferred in electronic form. Hippa improve the efficiency and
effectiveness of the health care system. These include specific transaction standards and code sets.

The HIPAA law applies directly to these groups, called covered entities and business associates.
They are Healthcare Providers, Health Plans, and Healthcare clearinghouses, technology
companies and cloud services providers or anyone that has access to personal health information.

Health Care Provider? any provider of medical or other health services, or any organization or
person who transmits any health information in electronic form. This includes organizations
and individuals that provide bills or are paid in connection with servicesin the normal course of
business.

A Health Plan is any individual or group plan that provides or pays the cost of healthcare such as an
insurance company, Medicare, or Medicaid.

A Health Care Clearinghouse is a public or private entitythat transforms healthcare transactions


from one form to another into a required format.

Business AssociateA business associate is any company or individual with access to Protected
Health Information, or ePHI. A Business Associate is required to have a risk assessment, training,
policies and procedures.

Some examples of a business associate are IT vendors, laboratories, call


centers, court reporters, cloud providers, legal services, suppliers and manufacturers
with access to PHI or ePHI.

Business associates must comply with HIPAA requirements by signing a contractual


agreement with the covered entity.

This is called a Business Associate Agreement or BAA. This is called a Business


Associate Agreement or BAA. will only use the protected health information for proper purposes and
will safeguard it from misuse.

history of HIPAA, what it is, and what it covers. Back in the 1990s, with the growth of the internet,
congress recognized they needed a system to enforce the rights of patients and protect the privacy
of their medical records. This lead to the creation of the HIPAA act. The Omnibus rule of 2013
expanded how technology companies protect that information.
The United States legislation of 1996 provides data privacy and security provisions for safeguarding.
The HIPAA law applies directly to these groups, called covered entities. Covered Entities include
Healthcare Providers,Health Plans, and Business Associates. A Covered Entity is any provider of
medical
or other health services, or a person that has PHI (also known as Protected Health Information).

HIPAA terminology,

HIPAA stands for Health Insurance Portability and Accountability Act of 1996.

HITECH stands for Health Information Technology for Economic and Clinical Health Act of 2009.

The goal of HITECH is to promote the adoption and meaningful use of health information technology

and significantly expands the HIPAA privacy rule and security standards and adds new requirements
concerning privacy and security of PHI.

PHI is Protected Health Information and it deals with a patient’s personal information.

ePHI is electronic Protected Health Information such as personal health information stored and
transmitted electronically. Examples are faxes, emails, data backup and cloud providers, patient
portals, removable media, and secure texting.
All of this data must be encrypted at rest ,

A Business Associate is anybody that supports the healthcare industry and performs functions
or activities in support of a covered entity. and in transit. They are also financially liable for data
breaches caused by their organization or employees.

Business Associates are now required to have a risk assessment, just like a covered entity,
including training and books of evidence.

A Risk Assessment is a set of government mandated questions to help you identify your gaps in
risk not only to your business but also to

A Book of Evidence is the customized book of policies and procedures you are required
to create and explains how you handle PHI and ePHI. a covered entity.

They are required to notify covered entities of any potential and active data breaches
to ensure and protect PHI at all times.

A Covered Entity is any provider of medical or other health services, or a person that has PHI.

Some examples of covered entities include: physicians, optometrists, dentists, nurses,


mental health providers, radiologists, laboratories, durable medical equipment providers, hospitals,
ambulance companies, healthcare workers, case managers,social workers. pharmacies, call
centers.

Can PHI be Disclosed for Public Health Activities? But it’s limited to the CDC, public health
authorities at a state or federal level and OSHA.
OSHA can request information without authorization or the need of a Business Associate
Agreement.

In the event of a natural disaster or state of emergency the Federal Government or OSHA
can request PHI to determine demographics of the affected area.

HIPAA Privacy and Security Rules:

The HIPAA Security rule covers the electronic use of sharing ePHI as long as safeguards are in
place.

a physician may consult with another physician by secure e-mail about a patient's condition, or a
health care provider may electronically exchange PHI through Electronic Medical Records for patient
care.

A covered entity needs to engage administrative, physical, and technical safeguards to protect
information.

Administrative safeguards include office rules and procedures that keep data secure.

Physical safeguards include: Limiting physical access to facilities while ensuring that authorized.

Implementing policies and procedures to specify proper use of and access to computers or the
position of screens in patient areas.

They must also have in place policies and procedures regarding the physical transfer,
removal, disposal, and reuse of electronic media, like computer hard drives.

Some technical safeguards include: Implementing hardware, software, and/or procedural


mechanisms to record and examine access and other activity in information systems that contain or
use access is allowed protected health information.

patients' rights. You can ask for a copy of the rights and privacy
policies of your doctor or hospital. Individuals, including yourself, are entitled
to see or get a copy of medical records that your practice keeps.

Patients may not be allowed to see certain parts of the full record, but they have the right to ask
With the rising cost of healthcare, we are seeing an increase in people paying for their medical
services.

You are not required to disclose PHI with a patient’s health plan for payment if he
or she is paying for the services.

Patient authorization is necessary to obtain an individual’s personal health information and billing
but it is not required to treat the patient.
Not only is this Book of Evidence a requirement, but the Book of Evidence will protect their
businesses in case of a breach or violation or an audit.

The healthcare industry has the 4th largest number of data breaches in the top 5 business These
sectors include Financial Services, Retail, Government, Healthcare and Manufacturing sectors in the
US.

The value of personal data to a cybercriminal is much higher than the credit card or bank account
number.

As we know with the Equifax breaches and Wanna Cry Ransomware attacks and daily ongoing
electronic attacks, PHI is extremely valuable to cybercriminals so they can create and sell a brand
new identity on the dark web.

The platforms used include, Business Applications, USB Drives, Social Media, Website Attachments

and Emails. Email is the largest medium to distribute Ransomware. If you receive a suspicious email
NEVER open it.
Just delete the email and notify your HIPAA compliance officer and IT company.

HIPAA law covers PHI in electronic format. This includes all social media platforms such
as, Facebook, Twitter, Snapchat, and Instagram.
Never under any circumstance disclose patient's name or treatment on any social media platform.

You can personally be liable financially and criminally for disclosing PHI on social media.

This means you have to use an encrypted texting Is Gmail, Hotmail, AOL, Yahoo or your local
IT provider’s email compliant?
The answer is no because all email through these free platforms are subject to automate platform or
chat.

You must use a paid service like Google G suite or Microsoft Office 365 as they will sign a BAA.
Faxes are an approved and compliant means
to send PHI.

a risk assessment: a regular compliance risk assessment.

a book of evidence: The Book of Evidence contains all of your policies and procedures on how you
handle PHI and ePHI.

compliance training: Training is essential for you and your staff to understand how to protect PHI
and your business policies.
In 2008, we had $100,000 in fines. We have seen a steady increase of multiple millions of dollars in
fines increasing every year. In 2017, a record was set of $23 million in fines.

The price of a health record is over $700 on the dark net.

If you do not feel confident in knowing if you are HIPAA compliant be sure to engage
a trustworthy HIPAA compliance partner that can guide you and help navigate you through your
HIPAA compliance journey.

some common issues that we see when you are not HIPAA compliant:

Lack of understanding of HIPAA and HITECH laws,

Limited or no training on how to handle PHI, ePHI and oral conversations,

No Risk Assessments to identify risk to PHI,

A Limited or no Book of Evidence (which includes your policies and procedures),

No Business Associate Agreements,

You might also like