2. Confidentiality, Security, and
Integrity of Information
Introduction
This purpose of this training program is to educate and inform all users
of Protected Health Information (PHI), of the requirements set forth
by the Health Insurance Portability and Accountability Act of 1996
(HIPPA).
The U.S. Department of Health and Human Services issued a “Privacy
Rule” to implement the requirements set forth by HIPPA.
The Privacy Rule standards address the use and disclosure of
individuals’ health information by organizations (covered entities) who
are subject to the Privacy Rule.
3. Confidentiality, Security, and
Integrity of Information
Who Is Covered by the Privacy Rule?
Health plans: Individual and group plans that provide or pay the cost
of medical care.
Health Care Providers: Every health care provider, regardless of size,
who electronically transmits health information in connection with
certain transactions, is a covered entity. Health care providers include
all:
“providers of services” (e.g., institutional providers such as
hospitals) and;
“providers of medical or health services” (e.g., non-institutional
providers such as physicians, dentists, and other practitioners) as
defined by Medicare, and any other person or organization that
furnishes, bills, or is paid for health care.
4. Confidentiality, Security, and
Integrity of Information
Health Care Clearinghouses: Entities that process nonstandard
information they receive from another entity into a standard format or
data content. These include billing services, repricing companies,
community health management information systems, and value-added
networks and switches if these entities perform clearinghouse
functions.
5. Confidentiality, Security, and
Integrity of Information
What Information is Protected?
Protected Health Information: All “individually identifiable health
information” held or transmitted by a covered entity or its business
associate, in any form or media, whether electronic, paper or oral,
including demographic data that relates to:
The individual’s past, present or future physical or mental health
condition,
The provision of health care to the individual, or
The past, present, or future payment for the provision of health care to
the individual,
Individually identifiable health information such as:
Name
Address
Birth date and,
Social Security Number
6. Confidentiality, Security, and
Integrity of Information
General Principals for Uses and Disclosures:
A covered entity may not use or disclose protected health information,
except to:
Those entities that have a “need to know” such as billing agencies or
regulatory bodies and as outlined in the Privacy Rule
The individual who is the subject of the information (or the
individual’s personal representative) as authorized in writing.
Required Disclosures which include:
To individuals (or their personal representatives) specifically
when they request access to, or an accounting of disclosures of,
their protected health information; and
To HHS when it is undertaking a compliance investigation or
review or enforcement action.
7. Confidentiality, Security, and
Integrity of Information
Notice and Other Individual Rights
Each covered entity, with certain exceptions, must provide a notice of
its privacy practices and must contain certain elements:
Ways in which the entity may use and disclose PHI
The entity’s duties to protect privacy, provide a notice of privacy
practices, and abide by the terms of the current notice.
Describes the individuals’ rights, including the right to complain to
HHS and to the covered entity if they believe their privacy rights
have been violated.
Must include a point of contact for further information and for
making complaints to the covered entity.
8. Confidentiality, Security, and
Integrity of Information
Enforcement and Penalties for Noncompliance:
Termination of employment for violation of HIPPA policy.
Civil penalties to entity of $100 per failure to comply with a Privacy Rule
requirement.
Individual fine of $50,000 and up to one year imprisonment.
The criminal penalties increase to $100,000 and up to five years
imprisonment if the wrongful conduct involves false pretenses, and to
$250,000 and up to ten years imprisonment if the wrongful conduct
involves the intent to sell, transfer, or use individually identifiable
health information for commercial advantage, personal gain, or
malicious harm.
9. Confidentiality, Security, and
Integrity of Information
What is Your Role?
Ensure that patient information is not disclosed improperly but logging
off computer terminals and keeping records within the appropriate
setting.
Do not discuss through social media or in areas outside of the clinical
area patient information.
Do not share information about patients with friends or family.
Discuss patient information only with those “covered entities” as
outlined by the Privacy Rule.
Do not give your computer password to anyone.
10. Confidentiality, Security, and
Integrity of Information
References:
Summary of the HIPPA Privacy Rule, Office For Civil Rights; United
States Department of Health and Human Resources 05/03,
www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ind;
retrieved November 13, 2012.