2. HIPAA
• Title I: protects health insurance for workers
and their families when they lose or change
jobs.
• Title II(InfoSec relevant): creates national
standards for electronically transferred health
care information
• Title III: health plan tax adjustments
• Title IV: Group Health plans
• Title V: Revenue Offsets
4. Title II – What you should Know
• HIPAA Key Terms & General Rules
• When you can share patient information and
when you cannot
• Patient’s Rights regarding their health
information
5. HIPAA Key Terms
• Protected Health Information (PHI)
– Patient health information created or given to a
medical practitioner
– Medical information that identifies the patient in
any format ie. verbal, written, or electronic
– Includes: Names, addresses, dates, phone
numbers, email addresses, social security
numbers, license numbers, full face photos, etc.
• Anything that identifies the patient
6. HIPAA Key Terms
• Covered Entities
– Health care practitioner that contains electronic
PHI
– Ie. Hospitals, family physicians, Blue Cross Blue
Shield, Kaiser Permanente
– Covered entities and anyone they share their data
with are subject to HIPAA
7. HIPAA Key Terms
• TPO
• (T)Treatment: activities for patient care
• (P)Payment: monetary transaction for
healthcare services
• (O)Operations: regular activities of a covered
entity to perform healthcare functions
8. HIPAA Key Terms
• Business Associate
– Third parties who have access to PHI
• Ie. security software vendors creating a secure system
for the healthcare practitioner
– Business Associates must sign agreement
acknowledging HIPAA compliance
9. HIPAA Key Terms
• Minimum Necessary Rule
– PHI may only be accessed on an as needed basis.
– Only access enough PHI to complete the job at
hand and no more.
10. HIPAA Key Terms
• Notice of Privacy Practices (NPP):
– Description of ways the healthcare practitioner
may use PHI without obtaining further patient
authorization
– Anytime PHI is released for another reason than
TPO, further patient authorization is required
11. HIPAA Key Terms
• Use: internal use of PHI within the healthcare
office
• Disclosure: external distribution of PHI within
a larger healthcare system
12. HIPAA Key Terms
• Types of Disclosure
1. No authorization required
• Sharing PHI with other doctors for referrals
2. No authorization required but must provide
opportunity to object
• Discussing PHI with family members in the room – the
patient must be allowed option of privacy
3. Authorization required
• Disclose PHI for research
13. HIPAA Key Terms
• Incidental Disclosures:
– Speaking to a patient in a 2bed hospital room and
the second patient overhears the conversation
– Visitor’s hear a patients name called in the waiting
room
– Health practitioners should do their best to avoid
these as much as possible and applying the
minimum necessary rule
15. HIPAA Violations
• Covered entities and individuals subject to
violation penalties
• Up to $1.5 million fine per HIPAA violation per
year
• Criminal Fines up to $250,000 or up to 10
years in prison
• Is HIPAA enforced?
– http://www.ama-
assn.org/amednews/2012/04/30/bisd0502.htm
16. HIPAA Scenarios
1. If a doctor stores his patients initials and
medical notes on his iPhone does the
doctor’s iPhone contain PHI?
2. As a doctor, are you allowed to email your
patients own medical information to their
personal email accounts?
3. As a nurse, are you allowed to look up one of
your patient’s address to mail a get well
card?
17. HIPAA Scenario Answers
1. Yes, the iPhone now has PHI and must be
treated with the same care as an entire
patient medical file.
2. No, you are not allowed to send PHI to your
patient’s personal email account because you
cannot assure that account is secure.
3. As a nurse you must abide the minimum
necessary rule and sending a card is not
necessary.
18. Ensure HIPAA Compliance
• Apply NIST Special Publication 800-66
– An Introductory Resource Guide for Implementing
the Health Insurance Portability and
Accountability Act (HIPAA)
– http://csrc.nist.gov/publications/nistpubs/800-66-
Rev1/SP-800-66-Revision1.pdf
19. Assignment
• Imagine you’re hired by a dentists office to
help transfer their operations from paper file
based, to electronic file based.
– What sort of network system and security
(physical and digital) would you recommend
implementing?
– Make sure and manage PHI correctly
– Diagram the network
– Write 1 single spaced page explaining why it works