fbpx

Become a CPhT     Partner with Us 

Linkedin Facebook Instagram Youtube Podcast
LOG IN / JOIN
LOGIN / JOIN
Linkedin Facebook Instagram Youtube Podcast
Lesson 1 of 0
In Progress

Course Content

Course Content

Introduction

The Health Insurance Portability and Accountability Act (HIPAA) requires all practitioners to ensure the privacy and security of patient information. The Privacy and Security rules went into effect on April 14, 2003, with stiff penalties for those who fail to comply, or who improperly disclose or misuse protected health information.

 

The HIPAA Privacy and Security Rules dictate that all who may come in contact with patient’s healthcare information go through a training on HIPAA policy, and that there be documentation to prove that the training has been completed.

 

As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards.

 

The updates include:

  • Breach notification requirements

  • Fine and penalty increases for privacy violations

  • Right to request copies of the electronic health care record in electronic format

  • Mandates that Business Associates are civilly and criminally liable for privacy and security violations

 

Overview

 

In 1996, Congress enacted the Health Insurance Portability and Accountability Act, also known as HIPAA. The primary purpose of HIPAA is:

  • To protect people from losing their health insurance if they change jobs or have pre-existing health conditions

  • To reduce the costs and administrative burdens of healthcare by creating standard electronic formats for many administrative transactions that are currently carried out on paper, and

  • To develop standards and requirements to protect the privacy and security of confidential healthcare information.

 

In April, 2003, the Department of Health and Human Services issued new regulations referred to as the Privacy Rule and Security Rule. The regulations require healthcare organizations to adopt processes and procedures to ensure the highest degree of patient confidentiality. These processes include administrative, physical and technical safeguards to ensure that medical information is stored, transmitted and received in a safe and secure manner.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

 

As you can imagine, the HIPAA regulations impact virtually every department of every entity that has access to confidential health information. Hospitals, medical practices, insurance companies, medical-device manufacturers and other healthcare organizations are undergoing major changes in the way they handle patient information.

 

The Privacy and Security Rules provide stiff penalties for those who fail to comply with the requirements or who improperly disclose or misuse protected health information (PHI).

 

It is important that all those who may come in contact with PHI understand and carry out their responsibilities under the Rules, as outlined in this training program.

 

Covered Entities

 

HIPAA is a broad and far-reaching law. Entities covered by the Privacy and Security Rules include healthcare plans, providers and clearinghouses.

 

The Rule also extends to the business associates of covered entities, which include auditors, consultants, lawyers, data and billing firms, and others with whom the covered entities have agreements involving the use of protected health information. The covered entity must receive satisfactory assurances that the business associate will comply with the Privacy and Security Rules, though the covered entity need not monitor the business associate’s work unless it learns of a problem with compliance.

 

In addition, the Rules apply to any company that offers healthcare and treatment to its employees on-site. Thus, if an employer or school operate an on-site clinic, the clinic would be a covered entity, and its patient information would be subject to the Privacy and Security Rules.


Examples of Covered Entities

 

What is a Business Associate?

 

A person or entity which performs certain functions, activities, or services for your organization involving the use and/or disclosure of PHI, but the person or entity is not a part of your organization or its workforce. (Examples:  transcription services, temporary staffing services, record copying company, home healthcare agencies, nursing homes, assisted living, rehabilitation centers etc.)

 

Your organization is required to have agreements with business associates that protect a patient’s PHI.

 

Entities Covered by State Law

 

When covered entities use or transmit protected health information in any form, they must comply not only with the Privacy and Security Rules, but also with any State laws regarding privacy of medical records.

 

In the event of a conflict between HIPAA and state law, HIPAA preempts state law unless the state law is more strict. (In other words, whichever provides greater protection to patients must be followed.)

 

The terrain of state health privacy law remains uneven. While the Federal Health Privacy Rules have established some uniform minimum standards, state health privacy laws remain diverse in the rights and protections that they afford. Because the Federal Health Privacy Rules do not cover all who hold health information and do not preempt many state laws, the level of protection afforded to health information continues to vary depending on who is holding the information and the state in which they are located.

 

Covered Transactions

 

HIPAA establishes a single set of transaction standards for electronic healthcare transactions, thus enabling healthcare providers and insurance companies to communicate more fluidly. The Privacy and Security Rules cover the following types of information transactions:

  • Healthcare claims (professional, institutional and dental)

  • Health plan eligibility inquiries and responses

  • Enrollment and disenrollment in a health plan

  • Healthcare payment and remittance advice

  • Health plan premium payments

  • Claim status inquiries and responses

  • Referral certification and authorization, and

  • Coordination of benefits.

 

The rules also require covered entities to use special coding standards for all transactions involving electronic data interchange (EDI), including the use of “unique identifiers” for providers, health plans, employers and patients. These new coding standards are still being developed and defined by the Department of Health and Human Services.

 

Protected Health Information (PHI)

 

The Privacy and Security Rules protect individually identifiable health information transmitted or maintained by a covered entity, no matter what form it takes.

This mean that when a doctor takes notes in a medical chart, when a hospital data-entry clerk types health insurance information into a computer, or when healthcare providers discuss a patient’s condition, any identifiable health information becomes protected health information (PHI) under HIPAA.

 

Note, however, that employment records held by a covered entity in its role as an employer are not considered PHI.

 

While many covered entities may seek to rely on practice-management software or healthcare clearinghouses as a means of ensuring HIPAA compliance for their healthcare transactions, software alone cannot provide a complete solution. Most of the work in complying with HIPAA for all covered entities is in developing and administering systems and policies that prevent the misuse of PHI in a comprehensive and consistent way.

 

 Examples of PHI 

 

PHI = Health Information with Identifiers

  • Name

  • Postal address

  • All elements of dates except year

  • Telephone number

  • Fax number

  • Email address

  • URL address

  • IP address

  • Social security number

  • Account numbers

  • License numbers

  • Medical record number

  • Health plan beneficiary #

  • Device identifiers and their serial numbers

  • Vehicle identifiers and serial number

  • Biometric identifiers (finger and voice prints)

  • Full face photos and other comparable images

  • Any other unique identifying number, code, or characteristic

 

Applies to Written and Electronic Information

 

Treatment – Payment – Healthcare Operations (TPO)

 

Notice of Privacy Practices (NPP)

The Privacy Rule requires a covered entity to:

  • Provide patients with a Notice of Privacy Practices (NPP); and

  • Make a good-faith effort to obtain a patient’s written acknowledgment of receiving the NPP.

 

The NPP must inform patients of:

  1. The uses and disclosures of PHI that the entity may make

  2. The patient’s right to access and amend their medical information, and

  3. The covered entity’s responsibilities with respect to PHI.

 

Once it has obtained the acknowledgment or has made a good-faith effort to do so, the entity may:

  • Use PHI for its own treatment, payment or healthcare operations; and

  • Disclose PHI to other covered entities for their treatment, payment or certain limited healthcare operations.

 

When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.

 

Covered Entities Responsibility

Must use or share only the minimum amount of PHI necessary, except for requests made

  • For treatment of the patient

  • By the patient, or as requested by the patient to others

  • To complete standardized electronic transactions, as required by HIPAA

  • By the Secretary of the Department of Health & Human Services (DHHS)

  • As required by law

 

Examples of TPO

  • The patient’s referring physician calls and asks for a copy of the patient’s recent exam at your organization (Treatment)

  • A patient’s insurance company calls and requests a copy of the patient’s medical record for a specific service date (Payment)

  • The Quality Improvement office calls and asks for a copy of an operative report (Health Care Operations)

  • Patient information may be provided for these TPO purposes

 

For Purposes other than TPO

  • Unless required or permitted by law, entities must obtain written authorization from the patient to use, disclose, or access patient information.

  • Patient Authorization allows entities to disclose information for purposes not related to treatment, payment, or operations

 

For human subjects research, additional rules and training is required if your organization is involved in human subjects research.

 

PHI may not be accessed for human subjects research unless the Institutional Review Board (IRB) has approved the research

and

  • –BOTH Informed Consent and HIPAA Authorization have been obtained from the subject, OR the organization IRB has approved a Waiver of Informed Consent and HIPAA Authorization.

 

Use and Disclosures of PHI for Research

PHI may be used in research if appropriate authorization from research participants is obtained, or if the PHI is obtained through one of the following alternatives:

  • Certified De-identified data sets;

  • Limited data sets (when accompanied by an appropriate Data Use Agreement);

  • Waiver or alteration of the authorization requirement by an Institutional Review Board (IRB) or Privacy Board;

  • Research involving decedents’ PHI (when appropriate representations are made by the researcher to your organization that the PHI is necessary and sought solely for research on decedents); or

  • Reviews preparatory to research when your organization receives representations from the researcher that access to the PHI is necessary and will not be removed from your organization.

  • PHI may be used in research only by those individuals authorized to access the information by the person(s) responsible for the project (principal investigator, project director, project coordinator) or the department head. The person(s) responsible must protect the information from unauthorized access and must maintain and regularly update a list of staff that is authorized to have access to the PHI.

 

Other Use of PHI

As a general rule, a covered entity may not use or disclose protected health information for purposes other than treatment, payment and healthcare operations without the patient’s written authorization.



Marketing

 

The Privacy Rule prohibits a covered entity from disclosing PHI to others for marketing purposes without the patient’s written authorization. For example, a pharmacy may not provide a pharmaceutical company a list of patients with a particular disease or condition in order for the pharmaceutical company to market drugs to those patients without their authorization.

At the same time, communications regarding treatment, case management or the recommending of alternative therapies are excluded from the definition of “marketing,” as are communications that promote health in a general manner. Thus, for example, a health-related newsletter that a covered entity distributes to patients to inform them about new healthcare developments would not be considered marketing under the Privacy Rule.

Incidental Disclosures

The Privacy Rule allows “incidental” disclosures of PHI, as long as the covered entity uses reasonable safeguards and adheres to the “minimum necessary” standards. For example, doctors’ offices may use waiting-room sign-in sheets, hospitals may keep charts at bedside, doctors may talk to patients in semi-private rooms, and medical staff may confer at the nurse’s station without violating the Privacy Rule.


Treat Patients’ Information as if it were your own information

 

Patients’ Rights

  • The right to request restriction of PHI uses & disclosures

  • The right to request alternative forms of communications (mail to P.O. Box, not street address; no message on answering machine, etc.)

  • The right to access and copy patient’s PHI

  • The right to an accounting of the disclosures of PHI

  • The right to request amendments to information

 

Downloading / Copying / Removal

  • Employees should not download, copy, or remove from the clinical areas any PHI, except as necessary to perform their jobs.

  • Upon termination of employment, or upon termination of authorization to access PHI, the employee must return copies of PHI in his or her possession.

  • Shred or destroy PHI before throwing it away.

  • Dispose of paper and other records with PHI in secured shredding bins. Recycling and Trash bins are NOT secure.

  • Shredding bins work best when papers are put inside the bins. When papers are left outside the bin, they are not secured from:

  • Daily gossip

  • Daily trash

  • The public

 

Know where you left your paperwork

  • Check printers, faxes, copier machines when you are done using them

  • Ensure paper charts are returned to applicable areas in nursing stations, medical records, or designated file rooms

  • Do not leave hard copies of PHI laying on your desk; lock it up in your desk at the end of the day

  • Seal envelopes well when mailing

  • Faxing is permitted. Always include, with the faxed information, a cover sheet containing a Confidentiality Statement

  • Limit manual faxing to urgent transmittals-In an emergency, faxing PHI is appropriate when the information is needed immediately for patient care

  • Other situations considered urgent (e.g., results from lab to physician)

  • Place Fax machine in a secure area

 

Information that should not be Faxed except

In an emergency:

  • Drug dependency

  • Alcohol dependency

  • Mental illness or psychological information

  • Sexually-transmitted disease (STD) information

  • HIV status

 

HIPAA Security Rule Provisions

Administrative Safeguards

Since many of us receive, store and transmit PHI as part of our day-to-day responsibilities, The Privacy Rule requires the following administrative safeguards to ensure that PHI is not compromised:

  • Designating a Privacy Officer to be responsible for the development and implementation of privacy policies

  • Providing physical safeguards to protect our computer systems and related equipment from fire, other environmental hazards and intrusion

  • Using technical safeguards like encryption software to transmit health information over the Internet

  • Requiring business associates (lawyers, consultants, auditors, billing companies, pharmacists, etc.) to confirm that they will protect PHI

  • Developing a system to track who accessed what information; and

  • Implementing rules for addressing violations of privacy, security and transaction regulations, including establishing a process for making complaints and preventing retaliation against anyone who reports a HIPAA violation.

 

HIPAA also requires those with access to PHI to undergo periodic training on these and other appropriate privacy procedures, and to keep documented proof that these trainings have been given.

 

The Security Rule also requires that administrative, physical and technical safeguards are in place to prevent the improper use or disclosure of PHI. The required administrative safeguards are as follows:

  • Certification Review: A technical evaluation to ensure that our computer environment is secure from intrusion.

  • Chain of Trust Agreements: Agreements with external recipients of PHI confirming that they will protect the confidentiality of data exchanged.

  • Contingency Plan: A plan for responding to system emergencies, including the performance of backups, emergency-mode operations, and disaster-recovery procedures.

  • Policies & Procedures: Policies and procedures for the proper use of healthcare information.

  • Access Controls: A plan for granting different levels of access to healthcare information, including policies that determine each individual’s right to access the information.

  • Internal Audit Procedures: An in-house review of system activity records (such as log-ins, file accesses, and security incidents).

  • Personnel Security: Security checks and special training for all employees with access to sensitive information regarding the proper use and handling of PHI, and documentation to verify that the training has occurred.

  • Security Configuration Management: Procedures for the security of our computer systems, such as virus checking and security testing.

  • Security Incident Procedures: Instructions for reporting security breaches.

  • Security Management Process: A process to ensure that we have the proper infrastructure in place to prevent and detect security breaches.

  • Termination Procedures: Procedures to prevent a terminated employee from having access to confidential information.

 

HIPAA also requires those with access to PHI to undergo periodic training on these and other appropriate security procedures, and to keep documented proof that these trainings have been given.

 

Physical Safeguards

 

The Security Rule also requires a number of physical steps to ensure that PHI contained in computers is properly protected from fire and environmental hazards, as well as from intrusion. Physical safeguards include the following:

  • Security Management: Assignment of responsibility for Security management.

  • Media Controls: A set of procedures that govern the receipt and removal of hardware and software (such as diskettes, tapes, and personal data assistants).

  • Physical Access Controls: Procedures that deter intruders from accessing environments where sensitive information resides.

  • Equipment Controls: Security policies for bringing hardware and software into and out of offices, including policies on how to dispose of hardware and other storage media.

  • Guidelines on Workstation Use: Procedures describing the proper functions to be performed on computers, and how to handle sensitive information that may be displayed on computer screens.

 

Technical Safeguards

Finally, the Security Rule requires certain technical safeguards for PHI, including:

  • Access Controls: Controls to ensure that access to sensitive information is available on a need-to-know basis, based on roles and context.

  • Audit Controls: Controls to record and examine system activity, helping to eliminate unnecessary access to sensitive information.

  • Authorization Controls: Controls for obtaining consent for the use and disclosure of health information.

  • Data Authentication: Controls to help ensure that health data has not been altered in an unauthorized manner.

  • Entity Authentication: Controls to ensure that data is sent to the intended recipient and received by the intended party. These controls include the use of password protections, PIN numbers and, when sent over public networks, encryption.

 

Sending PHI via E-mail and Fax



According to the Security Rule, it is permissible to use the Internet to transmit PHI, as long as

  • An acceptable method of encryption is used to protect confidentiality, and

  • Appropriate authentication procedures are followed to ensure correct identification of the sender and receiver.

 

Although faxes are transmitted over telephone lines, they are not considered to be “covered transactions,” so they may be sent without additional security precautions.

 

Privacy Breach from Lost, Stolen, or Misdirected Information

A privacy breach can occur when information is:

  • Physically lost or stolen

    • Paper copies, films, tapes, electronic devices

    • Anytime, anywhere – even while on public transportation, crossing the street, in the building, in your office

  • Misdirected to others outside of your organization

    • Verbal messages sent to or left on the wrong voicemail or sent to or left for the wrong person

    • Mislabeled mail, misdirected email

    • Wrong fax number, wrong phone number

    • Placed on intranet, internet, websites, Facebook, Twitter

 

What constitutes a Breach?

 

Definition of “Breach”: An impermissible acquisition, access, use or disclosure not permitted by the HIPAA Privacy Rule

Examples include:

  • Laptop containing PHI is stolen

  • Receptionist who is not authorized to access PHI looks through patient files in order to learn of a person’s treatment

  • Nurse gives discharge papers to the wrong individual

  • Billing statements containing PHI mailed or faxed to the wrong individual/entity

 

Examples of Privacy Breach

  • Talking in public areas, talking too loudly, talking to the wrong person

  • Lost/stolen or improperly disposed of paper, mail, films, notebooks

  • Lost/stolen laptops, PDAs, cell phones, media devices (video and audio recordings)

  • Lost/stolen media like CDs, flash drives, memory cards

  • Hacking of unprotected computer systems

  • Email or faxes sent to the wrong address, wrong person, or wrong number

  • User not logging off of computer systems, allowing others to access their computer or system

Exceptions to Breach

  • Unintentional acquisition, access, use or disclosure by a workforce member (“employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity”) acting under the authority of a covered entity or business associate.

  • Inadvertent disclosures of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized healthcare arrangement in which covered entity participates.

  • If acovered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

 

Breach Notification Obligations

If a breach has occurred, your organization will be responsible for providing notice to:

  • The affected individuals (without unreasonable delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach)

  • Secretary of Health & Human Services-HHS- (timing will depend on number of individuals affected by the breach)

  • Media (only required if 500 or more individuals of any one state are affected)

 

Breach Notification Decision Tree

 

What if there is a Breach of Confidentiality?

 

Breaches of the policies and procedures or a patient’s confidentiality must be reported to your organization’s privacy official. Please follow your organization’s policy manual for reporting procedure.

 

Disciplinary Actions (Sanctions)

Internal Disciplinary Actions

  • Individuals who breach the policies will be subject to appropriate discipline under organization’s sanction policy.
    Civil/Criminal Penalties

  • An employee who does not protect a patient’s privacy and follow all required policies and procedurescould lose his or her job.

  • Covered entities and individuals who violate these standards will be subject to civil and/or criminal liability.

 

Civil Penalties

Covered entities and individuals who violate these standards will be subject to civil liability

 

HIPAA Criminal Penalties

 

Reporting Security Incidents / Privacy Breaches

You are required to:

  • Respond to security incidents and report them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the Information Privacy and Security Officer .

  • Immediately report any known or suspected privacy breaches (such as paper, conversations, suspected unauthorized or inappropriate access or use of PHI) report them first to your practice Information Privacy and Security personnel and/or to the Practice Administrator as well as to the your organization’s Information Privacy and Security Office.

 

Conclusion

From the patients’ point of view, ALL information is private.

This includes a patient’s:

  • Personal information

  • Financial information

  • Medical information

  • Protected Health Information

  • Information in any format: spoken, written, or electronic

 

To wrap things up, remember that patient privacy and data security, whether paper or electronic, is a top priority for pharmacy staff. Protected Health Information refers to the data you must keep private and secure because alone or in combination, it identifies and individual patient. Patients, including you when you are a patient, have a number of rights with respect to protected health information. Patients may request copies, file a complaint, or request amendments or changes to the record. Think back over the questions and case studies and recall how often the answer could be chosen using common sense. HIPAA has many rules, but most are pretty easy to follow.

 

Active Learning

 

Other Administrative Simplification Rules – In addition to the HIPAA Privacy, Security, and Enforcement Rules, the HIPAA Administrative Simplification Rule also includes the following rules and standards:

 

https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/index.html

 

References

 

MEMBERSHIP
About NPTA
Join NPTA
Advocacy
Get Involved

CAREER RESOURCES
Job Board
Find a Job
Post a Job

CE COURSES & EVENTS
Online CE 
LIVE CE
CPhT LIVE Conference
Student Summit

CERTIFICATIONS
CPhT
CPhT-Adv
IV Certification
BCSCPT
BCNCPT
BPTS

SUPPORT & LEGAL
Support
Privacy & Data Policy
Terms of Use
Refund Policy
Contact Us

FOLLOW US 

Linkedin Facebook Instagram Youtube Podcast

© 2024 All rights Reserved and powered by TJG.
This site is not a part of the Google/Facebook website or Google/Facebook Inc.Additionally, this site NOT endorsed by or affiliated with Google/Facebook in any way. GOOGLE/FACEBOOK is a trademark of GOOGLE/FACEBOOK, Inc.