Speaker 1: Music Music Music With the advent of electronic processing, communication and storage of medical data, it's much easier to share patient information among the healthcare professionals who treat them. But how can people's private health information be kept confidential and secure at the same time? In the U.S., this concern has been addressed by a group of federal laws known as HIPAA, the Health Insurance Portability and Accountability Act of 1996. And everyone who works in healthcare-related fields should have a practical understanding of the HIPAA regulations and how HIPAA affects them. This program will discuss HIPAA's requirements, explain its language, and provide the information employers and employees need to understand and comply with the law. Music HIPAA established three rules for safeguarding the privacy and security of patients' medical information. The HIPAA Privacy Rule gives patients specific rights regarding their health information. It also regulates who else can have access to this information. The HIPAA Security Rule established standards for safeguarding this information when it is transmitted or stored in electronic form. The HIPAA Enforcement Rule set up procedures for investigating potential violations of HIPAA regulations and established penalties to help enforce compliance. HIPAA was followed by two other acts that related to the privacy and security of health information. The Genetic Information Non-Discrimination Act, known as GINA, focused on protecting people's genetic information. The Health Information Technology for Economic and Clinical Health Act, or HITECH, extended the reach of HIPAA requirements and updated the penalties for violating them. In 2013, a final Omnibus Rule officially integrated GINA and HITECH with HIPAA and formed the health information regulations that are enforced today. HIPAA defines Protected Health Information, PHI, as any data about a person's health, their health care, or payment for their health care that is created or collected by a health care provider, health plan, or health care clearinghouse, their business associates, and subcontractors, is transmitted or maintained in electronic form or any other medium, and identifies the person, or could be used to identify the person, that it relates to. PHI can include things such as physician's notes and health care billing information, blood test results, doctor's telephone records, an MRI scan, and appointment scheduling notes. PHI can be in any form, oral, recorded, written down on paper, stored in a computer, or on the Internet. PHI that is stored or transmitted in electronic form is sometimes referred to as ePHI. Just keep in mind that whatever term is used, the P stands for Protected. HIPAA groups the organizations and people that are responsible for protecting health information into three categories. Covered entities, business associates, and subcontractors. A covered entity is a health care provider that electronically transmits health information in connection with certain types of administrative and financial transactions. Doctors, clinics, psychologists, dentists, nursing homes, and pharmacies can all be covered entities. A covered entity can also be a health plan, such as health insurance companies, HMOs, and government programs that pay for health care, such as Medicare, Medicaid, as well as military and veterans programs. A health care clearinghouse can be a covered entity as well. This includes entities that process non-standard health information received from another entity into a standard form. A business associate is a person or business that has access to PHI as part of working with or providing services to a covered entity. Business associates can include a physician's medical transcriptionist, a consultant who performs utilization reviews for a hospital, or an accounting firm that audits a company's health plan. A subcontractor is a person or business who has access to PHI while working with or providing services to a business associate. For example, when the CPA firm that is a business associate of a covered entity buys data storage services from a third party, that third party is a subcontractor. Similarly, if a medical transcriptionist has a local computer services company inspect the contents of her hard drive, that company is a subcontractor. Knowing what types of companies fit into these categories is important because chances are you or your employer fall into one of them, so you will need to comply with HIPAA regulations. Music Under HIPAA, patients have specific rights regarding their protected health information. First, covered entities are required to provide patients with a Notice of Privacy Practices, or NPP. This document outlines the entity's policies regarding the use and disclosure of a patient's PHI. The NPP must be given to patients the first day they are provided with a service, or as soon as possible following an emergency. Under HIPAA, patients have the right to inspect, correct, and request that changes be made to their PHI. Patients may also request that their PHI be communicated to them by other than the normal means and at alternate locations to protect confidentiality. For example, a patient could ask a fertility clinic not to call them at work, but to send them an email at home, or ask a specialist not to send an appointment reminder by postcard, but enclosed in an envelope. In some cases, a patient's request for access to their PHI may be denied by the covered entity. This may occur when the information is in the form of psychotherapy notes, has been compiled for use in a civil, criminal, or administrative proceeding, is held by a correctional institution, and access could jeopardize the health and safety of inmates, employees, or others, and in certain other limited circumstances. In these cases, HIPAA requires the covered entity to provide the patient with a written explanation of why their request is being denied and inform them of how they can complain to the covered entity's privacy officer or to the Department of Health and Human Services. A patient also has a right to designate a third party to receive their ePHI, request an accounting of PHI disclosures made by a covered entity for up to six years prior to the request. If for any reason the patient is incapable of exercising their rights, for example, if they are small children or mentally handicapped, a representative can be chosen to exercise these rights on their behalf. HIPAA uses the terms use and disclose to describe the two ways that protected health information can be handled. Use occurs when a covered entity examines, applies, or analyzes the information. Disclosure takes place where the information is released, transferred to, or accessed by a business associate or subcontractor. The use and disclosure of PHI is permitted for disclosure to the patient, with patient authorization or agreement, for purposes of treatment, payment, and day-to-day health care, for incidental uses, such as doctors talking to patients in a semi-private room where other patients or personnel may be present. The use or disclosure of PHI is required when it's requested or authorized by the patient, when it's requested by the Department of Health and Human Services. And since health care providers need access to PHI to provide quality care to a patient, patients cannot restrict disclosure of their PHI for purposes of medical treatment. But patients can restrict disclosure to a health plan or the plan's business associates if the person has already paid for the treatment themselves. HIPAA restricts how much patient PHI can be used or disclosed by enforcing the minimum necessary standard. This standard requires that any PHI that is not strictly necessary to get the job done will not be used by a covered entity or disclosed to a business associate or subcontractor. There are several situations where this minimum PHI may be used or disclosed without patient authorization. The most common of these is in day-to-day health care operations, such as patient treatment and when a health plan is making payment for services that a patient has received. The minimum necessary PHI may also be shared without patient permission or authorization when it's in the interest of public health, to control or prevent disease, for health oversight activities, to monitor FDA-regulated products, to comply with a HIPAA investigation, and for certain law enforcement purposes. At a minimum, a patient's signed authorization is not required, but their verbal permission is required to use or disclose minimum PHI for the purpose of maintaining a covered entity's patient directory or informing family or other people who are involved in a patient's care. However, a signed patient authorization is required for the use or disclosure of psychotherapy notes, unless that use or disclosure is, required by the health care provider, permitted or required by law. Does that make sense? Another thing that the HIPAA Final Omnibus Rule did was to set stricter limits for how PHI may be used or disclosed for marketing purposes, but it is less stringent about using PHI for fundraising. The Privacy Rule defines marketing as, a communication about a product or service that encourages recipients of the communication to purchase or use that product or service, and initially applied only to covered entities. But marketing is also defined as an arrangement in which a covered entity discloses PHI to another entity that will use it for a communication that encourages recipients to purchase or use a product or service. For an individual's PHI to be used or disclosed for the purpose of these two types of marketing, the covered entity must first obtain the patient's signed authorization. However, a marketing communication does not require a patient's authorization when it is made in the form of a face-to-face communication or a gift of nominal value that is given to the patient by the covered entity. There are three other types of communication that are not considered marketing where PHI can be used or disclosed without the patient's authorization if they describe health-related products or services that are provided by or included in a plan of benefits from the covered entity that is making the communication. If they are made for the treatment of the patient, such as a pharmacy sending prescription refills or a physician providing free samples of a prescription drug to the patient. Or if they are made to coordinate care or to recommend alternative treatments, providers, or service locations to the patient. As for fundraising, HIPAA does not require patient authorization or permission for their PHI to be used for fundraising purposes. The only requirement is that all fundraising communications must include a simple method, such as an email address or toll-free telephone number that can be used to opt out of receiving any additional fundraising communications. Music The HIPAA Security Rule deals with protecting the confidentiality and integrity of PHI when it is in electronic form, also known as ePHI. The rule is intended to prevent ePHI from being accessed by unauthorized persons or otherwise tampered with. To accomplish this, the Security Rule requires the use of administrative, technical, and physical safeguards on the part of entities that have custody of this information. Administrative safeguards are policies and procedures that limit access to ePHI. They include systems that detect, correct, and prevent security breaches. Incident policies that describe how to respond to a breach if one occurs. Ongoing audits and evaluations to ensure compliance with HIPAA regulations. Contingency plans for protecting ePHI during emergencies and natural disasters. Technical safeguards protect the data storage and transmission systems that handle ePHI from inside computer systems and networks, such as monitoring and antivirus software, encryption and digital signatures, and alarms regarding suspicious activity. Physical safeguards work from the outside. They restrict access to computers and other high-tech equipment that stores and transmits ePHI as well as the rooms and buildings that house the equipment. These include things such as parking restrictions, security guards, and ID badges. Unique personal IDs and regularly updated passwords. Remember, never share your password with anyone else. And controls that keep ePHI secure when computer hardware or software is being moved or disposed of. The HIPAA-mandated policies, procedures, and safeguards we have discussed are all designed to ensure the privacy and security of protected health information. But when impermissible access, acquisition, use, or disclosure of PHI occurs in spite of these measures, that violation is called a breach. If a breach is suspected, HIPAA presumes that one has actually occurred unless the covered entity that is involved can demonstrate that there is a low probability that PHI was actually compromised. If it is determined that a breach has in fact occurred, the covered entity must inform patients of that fact. This breach does not mean that a breach has not occurred. The covered entity must inform patients of that fact. This breach notification must be accomplished within 60 days of the date of the breach. If the breach affects the PHI of 500 people or more, the news media must be informed of the breach as well. HIPAA also requires that the Department of Health and Human Services be notified of all breaches. The penalties for having a data breach occur can be significant. Up to $1.5 million per violation. And anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity can be subject to these penalties, including individuals and business entities. So there are strong incentives for you and your employer to follow HIPAA guidelines carefully. We've seen that HIPAA regulations can go into considerable detail. But they're really not that hard to get a handle on if you keep a few basic principles in mind. Let's review. HIPAA is a set of federal laws that protects the privacy and security of patients' health information. Protected health information, PHI, can be any data about a person's health, their health care, or payment for their health care that identifies the person or that could be used to identify the person that it relates to. PHI can be in any form, oral, written, or electronic. HIPAA groups businesses and individuals that have access to PHI into three categories. Covered entities, business associates, and subcontractors. All of these groups are bound by the HIPAA privacy, security, and enforcement rules. Penalties for HIPAA violations can be significant, in excess of a million dollars. The use of digital information technology has made it possible to make better health care available to more people. But that benefit should not have to come at the cost of anyone's privacy. When you understand the objectives of the HIPAA regulations and the procedures that make them work, you can help to guarantee the confidentiality of every patient's private health information every day.