HAN 364 Study Guide - Final Guide: Managed Care, Data Set, Behavior Modification
31 May 2018
School
Department
Course
Professor
INFORMATICS FINAL
HIPAA
• Definition
• Intent (then and now)
o 1996 - Health Insurance Portability & Accountability Act (HIPAA) is passed
▪ 2 main original objectives:
• To ensure that individuals would be able to maintain their health
insurance between jobs. This is the Health Insurance Portability
part of the Act. It is relatively straightforward, and has been
successfully implemented.
• The second part of the Act is the "Accountability" portion. This
section is designed to ensure the security and confidentiality of
patient information/data. In addition, it mandates uniform
standards for electronic data transmission of administrative and
financial data relating to patient health information
• Other health information privacy/security legislation
o 2009 - American Recovery and Reinvestment Act (ARRA) and HITECH Acts are
passed
▪ Brought changes designed to improve privacy and security measures
required by modern technologies and closed loopholes within original
HIPAA
▪
• Privacy & security
o Security- the safeguards taken to keep medical data private
▪ Technical, administrative, physical
• Technical
o Access control (passwords, biometrics [fingerprint
scanners], keycards, etc.
o Audit trails
o Firewalls
• Administrative
o Risk assessments/mitigation
o Security personnel
o Training
• Physical
o Access control (locked doors, authorized access doors,
locked file cabinets, etc.)
o Privacy screens monitors
• Protected health information (PHI)
o Definition- any personal health information, which can be in the form of
electronic data, paper data, and verbal conversations
o What’s protected
▪ Names
▪ All geographical subdivisions smaller than a state (street address, city,
county, zip, etc.)
find more resources at oneclass.com
find more resources at oneclass.com
▪ DOB, admission date, discharge date, date of death
▪ Telephone numbers
▪ Fax numbers
▪ Vehicle numbers (VIN#, License plate, etc.)
▪ Device ID/serial numbers
▪ Email address
▪ URLs
▪ Social security # (most places don’t use this anymore, MRN)
▪ IP address
▪ MRN - medical record number
▪ Account numbers
▪ Insurance member numbers
▪ Biometric identifiers (finger/voice prints)
▪ Certificate/License numbers
▪ Full-face photographs
▪ ANY other unique identifying number, characteristic, or code
• Patients’ and organizations’ rights under HIPAA
o Patients’ Rights
▪ Copy of their health records (can be charged $)
▪ Amend their records (the HC org is not obligated to comply, reasonably)
• No one is obese, no one smokes, no one drinks too much...etc.
▪ Provide permission for their data to be shared for marketing, research,
etc.
▪ Reports on when and why health information was shared (audit trails)
• Very time consuming and expensive for organizations (gold mine
of opportunity)
▪ File a complaint with a provider, health insurer, and/or the U.S.
government if rights are being denied or health information is not being
protected
• Office of Civil Rights (feds)
• Patients cannot individually sue doctors, but they can get the
government to do it for them
o Organizations’ Privacy Requirements
▪ Develop and implement written policies and procedures
▪ Designate a privacy official (CIPO, CISO, CIPSO)
▪ Training and management
▪ Mitigation strategies for privacy breaches (on top of the government breach rule)
▪ Safeguards (admin, tech, physical)
▪ Designate a complaint official and procedure to file complaints
▪ Documentation and record retention (min. 6 years)
• Breach protocols
o Breach - “acquisition, access, use, or disclosure of unsecured PHI, in a manner
not permitted by HIPAA, which poses a significant risk of financial, reputational,
or other harm to the affected individual.”
▪ It doesn’t matter if the hacker, nurse, criminal, etc. saw or used any PHI.
The simple fact that they were disclosed unprotected PHI is enough to
account for a breach. If the risk is still determined to be significant, a
breach has occurred. If it’s determined not to be significant, it’s
considered an impermissible disclosure. If a significant risk to the
patient(s) is demonstrated, they must be notified. If 500 or more patients
are affected, HHS must be notified (Wall of Shame).
find more resources at oneclass.com
find more resources at oneclass.com
Document Summary
Intent (then and now: 1996 - health insurance portability & accountability act (hipaa) is passed, 2 main original objectives, to ensure that individuals would be able to maintain their health insurance between jobs. This is the health insurance portability part of the act. It is relatively straightforward, and has been successfully implemented: the second part of the act is the accountability portion. This section is designed to ensure the security and confidentiality of patient information/data. 6 years: breach protocols, breach - acquisition, access, use, or disclosure of unsecured phi, in a manner not permitted by hipaa, which poses a significant risk of financial, reputational, or other harm to the affected individual. It doesn"t matter if the hacker, nurse, criminal, etc. saw or used any phi. The simple fact that they were disclosed unprotected phi is enough to account for a breach. If the risk is still determined to be significant, a breach has occurred.
