Discuss the two situations in which disclosure of protected health information is required. Please ensure that the rubric is followed and proper citation in APA7 format for all sources. Scholarly references and the attached book are the only acceptable sources.
Chapter 6
Privacy, Security, and Legal Aspects
of the EHR
© Paradigm Education Solutions
1
Learning Objectives
6.1
6.2
6.3
6.4
6.5
6.6
Define Health Insurance Portability and Accountability Act of 1996
(HIPAA), specifically the Administrative Simplification provisions and
the date enacted.
Identify who is and who is not considered to be a covered entity under
HIPAA.
Identify the basic principles of the Privacy Rule and differentiate
between when disclosure of protected health information is permitted
and when it is not permitted.
Demonstrate release of information (ROI) functions carried out by
health information management (HIM) staff in the electronic health
record (EHR) environment.
Demonstrate how to produce an accounting of disclosures log.
Discuss the concept of “minimum necessary” as it relates to the release
of health information.
© Paradigm Education Solutions
2
Learning Objectives, Continued
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
Explain the enforcement and penalty process for violations of HIPAA
privacy and security regulations.
Discuss the HIPAA Breach Notification Rule.
State the two primary purposes for the development of the security
standards of HIPAA.
List the major sections of the standards of the HIPAA Security Rule and
provide safeguard examples that apply to each section.
Discuss the difference between required and addressable
implementation specifications.
Explain why the 21st Century Cures Act is one of the most significant
acts regarding EHR use and exchange.
Discuss the purpose of the United States Core Data for Interoperability
(USCDI) and give examples of the data classes and data elements.
Define information blocking and give examples of what is and is not
considered information blocking.
© Paradigm Education Solutions
3
Introduction
• EHR users must understand and follow laws and
regulations regarding the privacy, safety, and security of
health information.
• Federal legislation provides guidance about the release and
security of:
– Protected health information (PHI) in paper health records
– Identifiable EHR patient information, known as electronic
protected health information (ePHI)
© Paradigm Education Solutions
4
6.1 Health Insurance Portability and
Accountability Act of 1996
• The Health Insurance Portability and Accountability
Act of 1996 (HIPAA) includes provisions that affect all
healthcare facilities.
– Allows for health insurance to be “portable”
– Addresses the confidentiality of medical records
– Sets standards for:
• Health information privacy and security
• Efficiency and effectiveness of healthcare systems (Sections
261–264, the Administrative Simplification Provisions)
© Paradigm Education Solutions
5
6.1 Health Insurance Portability and
Accountability Act of 1996, Continued
© Paradigm Education Solutions
6
6.2 HIPAA Privacy Rule
• 2000: US Department of Health and Human Services (HHS)
published the Privacy Rule
– Intended to define:
• Protected health information
• The entities and circumstances in which it may be used or
disclosed by covered entities
• 2013: HHS modified the HIPAA Privacy, Security, and
Enforcement Rules to align with the Health Information
Technology for Economic and Clinical Health (HITECH) Act
• 2020: Office for Civil Rights and HHS proposed changes to
the Privacy Rule
© Paradigm Education Solutions
7
6.2 HIPAA Privacy Rule, Continued
• The Privacy and
Security Rules
apply to covered
entities: healthcare
providers, health
plans, and
healthcare
clearinghouses
transmitting health
information in an
electronic format.
© Paradigm Education Solutions
8
6.2 HIPAA Privacy Rule, Continued
• Noncovered entities do not have to comply with the
Privacy and Security Rules.
– Workers’ compensation carriers
– Employers
– Marketing firms
– Life insurance companies
– Pharmaceutical manufacturers
– Casualty insurance carriers
– Pharmacy benefit management companies
– Crime victim compensation programs
© Paradigm Education Solutions
9
6.2 HIPAA Privacy Rule, Continued
• Types of health information classified under the Privacy
Rule:
© zimmytws/Shutterstock.com
– PHI
– Individually identifiable health information
– Deidentified health information
© Paradigm Education Solutions
10
6.2 HIPAA Privacy Rule, Continued
• PHI: information, including demographic data, that:
– Identifies the individual, or for which there is a reasonable
basis to believe that the information can be used to identify
the individual
– Relates to at least one of the following:
• The individual’s past, present, or future physical or mental
health condition
• The provision of health care to the individual
• The past, present, or future payment for the provision of health
care to the individual
© Paradigm Education Solutions
11
6.2 HIPAA Privacy Rule, Continued
•Types of PHI
–Name
–Address
–Any dates (except years that are
directly related to the individual,
such as birth date)
–Telephone number
–Fax number
–Social Security number
–Medical record number
–Health plan beneficiary number
–Account number
–Certificate/license number
–Vehicle identifiers
–Device identifiers or serial
numbers
–Email address
–Digital identifiers
–IP addresses
–Biometric elements
–Full face photographic images
–Other identifying numbers or
codes
© Paradigm Education Solutions
12
6.2 HIPAA Privacy Rule, Continued
• Deidentified health information: neither identifies an
individual nor provides a reasonable basis to identify an
individual
– Use not restricted by the Privacy Rule
– Primarily used for summary purposes, e.g.:
• Number of patients from a ZIP code
• Number of patients who recently had a cavity
• Number of physical therapy home care visits
© Paradigm Education Solutions
13
6.2 HIPAA Privacy Rule, Continued
Basic Principles of the Privacy Rule
• A covered entity may not use or disclose PHI except either:
1. As the Privacy Rule permits or requires, or
2. As the individual who is the subject of the information (or
the individual’s personal representative) authorizes in
writing
© Paradigm Education Solutions
14
6.2 HIPAA Privacy Rule, Continued
Required Disclosures
• A covered entity must
disclose PHI to:
© Paradigm Education Solutions
© iStockphoto/leezsnow
1. An individual (or their
personal representative),
specifically when he or she
requests access to, or an
accounting of disclosures
of, their PHI
2. HHS, specifically during a
compliance investigation,
review, or enforcement
action
15
6.2 HIPAA Privacy Rule, Continued
Permitted Disclosures
• Health information can be used and/or disclosed without
prior patient authorization:
– To the individual patient
– For treatment purposes*
– For payment purposes*
– For healthcare operations*
*These three disclosures are known collectively as treatment,
payment, healthcare operations (TPO).
(Continued)
© Paradigm Education Solutions
16
6.2 HIPAA Privacy Rule, Continued
• Health information can be used and/or disclosed without
prior patient authorization:
– Incidental to an otherwise permitted use or disclosure
– For public interest and benefit activities
– As a limited data set for purposes of research, public
health, or healthcare operations
• PHI from which certain specified direct identifiers of
individuals and their relatives, household members, and
employers have been removed
© Paradigm Education Solutions
17
Consider This
A teenage patient brought to the emergency department (ED)
of a hospital drifts in and out of consciousness. The ED
physician suspects an adverse event from a medication the
patient is taking or a possible drug overdose. The ED
physician learns that the patient takes medications that have
been prescribed by the patient’s primary care physician.
Because the patient’s EHR is interoperable with the hospital’s
EHR, the ED physician is able to access the medications
prescribed for the patient. How does permitted disclosure of
health information in the Privacy Rule allow the patient to
receive the necessary care? What could happen if the patient
needs to wait while the hospital seeks authorization to
release her information?
© Paradigm Education Solutions
18
6.2 HIPAA Privacy Rule, Continued
Release of Information (ROI)
• Rules and regulations related to the release of PHI are the
same for a paper record and an EHR.
• The ROI process is more streamlined in an EHR
environment.
– Physical records do not need to be located.
– Records can be printed, saved to digital storage, or emailed
directly from the EHR.
– Records can be released faster.
© Paradigm Education Solutions
19
6.2 HIPAA Privacy Rule, Continued
Accounting of Disclosures
• Per the Privacy Rule, a
patient has the right to
receive an accounting of
disclosures of their PHI
made by the covered
entity.
• ROI software, as part of
the EHR system, produces
these documents.
© Paradigm Education Solutions
20
6.2 HIPAA Privacy Rule, Continued
Privacy Rule and State Laws
• State laws that contradict the Privacy Rule are overruled by
the federal requirements unless an exception applies.
Minimum Necessary Concept
• Minimum necessary: covered entities must make
reasonable efforts to limit the use of, disclosure of, and
requests for the minimum amount of PHI necessary to
accomplish the intended purpose
• Required by the Privacy Rule
© Paradigm Education Solutions
21
6.3 Privacy Rule Enforcement
• The HHS Office
for Civil Rights
(OCR) enforces
HIPAA Privacy
and Security
Rules.
Source: Office of OCR
© Paradigm Education Solutions
22
6.3 Privacy Rule Enforcement, Continued
• Two categories of Privacy Rule violations:
– Civil
• Penalties of $100-$50k per failure
– Criminal
• Penalties up to $250k and up to 10 years of prison
• The major difference between civil and criminal violations
involves the intent behind the violation.
– Mistaken vs. knowing
© Paradigm Education Solutions
23
6.3 Privacy Rule Enforcement, Continued
• Resolution agreement: a contract signed by the federal
government and a covered entity in which that entity
agrees to:
– Perform certain obligations (e.g., staff training regarding
privacy and confidentiality)
– Send reports to the federal government for a certain time
period (typically three years)
© Paradigm Education Solutions
24
6.4 Breach Notification Rule
• Breach: an impermissible use or disclosure under the
Privacy Rule that compromises the security or privacy of
PHI and poses significant risks to the affected individual
– Financial risks, reputational risks, other identified harm
• Following a breach, covered entities and their business
associates must notify:
– Affected individuals
– HHS
– The media (in certain circumstances)
© Paradigm Education Solutions
25
6.4 Breach Notification Rule, Continued
Notice to Individuals Requirement
• Written notifications must be provided following the
discovery of a breach and include:
1. A description of the breach
2. A description of the types of information involved in the
breach
3. The steps affected individuals should take to protect
themselves from potential harm
4. A brief description of what the covered entity is doing to
investigate the breach, mitigate the harm, and prevent
further breaches
5. Contact information for the covered entity
© Paradigm Education Solutions
26
6.4 Breach Notification Rule, Continued
Notice to the Media Requirement
• Covered entities must provide notice to the media of a
breach affecting more than 500 residents of a state or
jurisdiction.
– Press release to media outlets serving the affected area
– Must include the same information required for the
individual notice
© Paradigm Education Solutions
27
6.4 Breach Notification Rule, Continued
• The most often investigated HIPAA compliance issues:
1. Impermissible uses and disclosures of PHI
2. Lack of safeguards of PHI
3. Lack of patient access to their PHI
4. Lack of administrative safeguards of ePHI
5. Uses or disclosures of more than the minimum necessary
PHI
© Paradigm Education Solutions
28
6.4 Breach Notification Rule, Continued
• The most common types of covered entities required to
take corrective action:
1. Private practices
2. General hospitals
3. Outpatient facilities
4. Pharmacies
5. Health plans (group health plans and health insurance
issuers)
© Paradigm Education Solutions
29
6.4 Breach Notification Rule, Continued
Cases of Protected Health Information Breaches
• 2018: Anthem, Inc.
– Hacker accessed 78.8 million record database
• 2017: Lifespan Health System
– Laptop containing ePHI of more than 20,000 patients stolen
• 2016: Athens Orthopedic Clinic
– PHI database of over 200,000 patients stolen
• 2015: Primera Blue Cross
– Hacker accessed information of more than 10 million
individuals
© Paradigm Education Solutions
30
6.5 HIPAA Security Rule
• The Security Standards for the Protection of Electronic
Protected Health Information were developed to address
the security provisions of HIPAA.
– Known as the Security Rule
– Pertain exclusively to electronic health information
• As the United States moves toward its goal of a
Nationwide Health Information Network and a greater
use of EHRs, protecting the confidentiality, integrity, and
availability of ePHI becomes even more critical.
© Paradigm Education Solutions
31
6.5 HIPAA Security Rule, Continued
Objectives of the Security Rule
• Each covered entity must:
1. Ensure the confidentiality, integrity, and availability of ePHI
that it creates, receives, maintains, or transmits
2. Protect against any reasonably anticipated threats and
hazards to the security or integrity of ePHI
3. Protect against reasonably anticipated uses or disclosures of
such information that are not permitted by the Privacy Rule
4. Ensure compliance by the workforce
© Paradigm Education Solutions
32
6.5 HIPAA Security Rule, Continued
Major Differences between the Privacy and Security Rules
• The rules are closely aligned, but there are two areas of
distinction:
– The Privacy Rule applies to all PHI; the Security Rule covers
only ePHI.
– The Privacy Rule contains minimum security aspects for PHI
protection; the Security Rule provides comprehensive
security requirements.
© Paradigm Education Solutions
33
6.5 HIPAA Security Rule, Continued
Sections of the Security Rule
• General Rules
– States general covered entity requirements
• Administrative Safeguards
– Includes the assignment or delegation of security
responsibility to an individual and the need for security
training for employees and users
• Physical Safeguards
– Includes mechanisms necessary to protect electronic systems
from threats, environmental hazards, and unauthorized
intrusion
(Continued)
© Paradigm Education Solutions
34
6.5 HIPAA Security Rule, Continued
• Technical Safeguards
© Tero Vesalainen/Shutterstock.com
– Covers automated processes used
to protect and control access to
data
• Organizational Requirements
– Includes standards for business
associate contracts and
requirements for group health
plans
• Policies and Procedures and Documentation Requirements
– Addresses implementation of reasonable and appropriate
policies and procedures to comply with the Security Rule
standards
© Paradigm Education Solutions
35
6.5 HIPAA Security Rule, Continued
• The Security Standards
Matrix assists covered
entities in assessing
their compliance with
the Security Rule.
© Paradigm Education Solutions
Source: HHS.gov
– A required standard
(R) must be met.
– An addressable
standard (A) should
be met if it is a
reasonable and
appropriate safeguard
in the entity’s
environment.
36
6.5 HIPAA Security Rule, Continued
EHR System Security
• EHR systems can track and record user activity.
• Once clinical documentation has been entered and
authenticated, documented entries cannot be modified.
• Attempts to change a health record can easily be identified
by an administrator.
© Paradigm Education Solutions
37
6.5 HIPAA Security Rule, Continued
HIPAA Security Rule Enforcement
• Same process as Privacy Rule enforcement
• Organizations have bolstered their efforts by:
– Reducing risk through network or enterprise data storage:
a centralized system that businesses use for managing and
protecting data
(Continued)
© Paradigm Education Solutions
38
6.5 HIPAA Security Rule, Continued
• Organizations have bolstered their efforts by:
– Encrypting ePHI
– Maintaining administrative and physical safeguards on the
devices and media that handle ePHI
– Raising employee awareness of security and good data
stewardship: the authority and responsibility associated
with collecting, using, and disclosing health information
© Paradigm Education Solutions
39
Consider This
An employee of the State Department of Health and Social Services left
a portable electronic storage device (USB drive) in a car that was later
stolen. The USB drive contained ePHI, so the State Department of
Health and Social Services submitted a report to the OCR, as all
covered entities are required to do when a breach of health
information security has occurred. When the OCR investigated, it
found evidence that the department did not have adequate policies
and procedures in place to safeguard ePHI. In addition, the department
had not completed a risk analysis, implemented sufficient risk
management measures, completed security training for its workforce
members, implemented device and media controls, or addressed
device and media controls or encryption, as required by the HIPAA
Security Rule. Does the State Department of Health and Social Services
have to follow the HIPAA Security Rule? Why? Is there a possibility
that the department would be fined in this scenario? What do you
think the findings of the OCR should be?
© Paradigm Education Solutions
40
6.6 21st Century Cures Act and Final Rule
• 21st Century Cures Act (2016): one of the most significant
acts to address patient access to electronic medical records
and the exchange and use of health information
• Final Rule: sets the standards for interoperability to
promote patient access and control of their ePHI
• The United States Core Data for Interoperability (USCDI): a
required, standardized set of health data for nationwide,
interoperable health information exchange
– Version 1: May 2020
– Version 2: July 2021
© Paradigm Education Solutions
41
Source: HealthIT.gov
6.6 21st Century Cures Act and Final
Rule, Continued
© Paradigm Education Solutions
42
6.6 21st Century Cures Act and Final
Rule, Continued
• The 21st Century Cures Act defines and disallows
information blocking:
– A practice by a health IT developer of certified health IT,
health information network, health information exchange, or
healthcare provider that, except as required by law or
specified by the Secretary of HHS as a reasonable and
necessary activity, is likely to interfere with access, exchange,
or use of ePHI
• This part of the Cures Act prevents restricting access to or
abusing electronic health information.
© Paradigm Education Solutions
43
11111——TH IRO(EDlffilm’N
d,
·~~1?,~~~
A DIVISION OF KENDALL HUNT
Explorin g
ELECTRON IC
HEALT H RECO R[Q)S
Darline·I•.! :’
Karen L
CEHRS
_R I ~\CHPS,
,.
·. , RHIA, MHI, CHDA, CEHR~.\
Privacy,
Chapter 6
security, and
Legal Aspects
of the EHR
Field Notes
‘ ‘ 1worked in a busy physical therapy clinic treating 24 patients
per day. When a physician wrote an order that was illegible,
we would have to take time away from tre~ting patients
to place a call for clarification, many times waiting until
the provider had a chance in their schedule to speak with
us. With an EHR, we have accurate information. We have
access to diagnostic results with a mouse click. The EHR
saves time, as we do not have to place a call and wait for
information _to_be faxed. The EHR also allows for the use of
prompts
. built into the
. system , which allow us t o d acumen t
and bill more effectively’ maximizi·ng re1m
. b ursement We
also have the ability to customize usef I k b
·
that can be shared am
. . .
u ey oard shortcuts
ong clinicians In b’1 1· •
•
may see more than one th
.
·
9 c mies, a patient
erap1st and ou
t
achieve continuity of care.,,
‘
r no es help us to
– Kim Shearer, Physical Therap A .
Y ss1stant
l!ffll!’Dh,•)itiiif&–t._________
6
_1 Define Health Insurance Portability and Accountability Act of 1996
(HIPAA), specifically the Administrative Simplification provisions
and the date enacted.
6.2 Identify who is and who is not considered to be a covered entity
under HIPAA.
6.3 Identify the basic principles of the Privacy Rule and differentiate
between when disclosure of protected health information is
permitted and when it is not permitted.·
6.4 Demonstrate release of information (ROI) functions carried out
by health information management (HIM) staff in the electronic
health record (EHR) environment.
6.5 Demonstrate how to produce an accounting of disclosures log.
6.6 Discuss the concept of “minin:,um necessary” as it relates to the
release of health information.
6.7 Explain the enforcement and penalty process for violations of
HIPAA privacy and security regulations.
6.8 Discuss the HIPAA Breach Notification Rule.
6.9 State the two p~imary purposes for the development of the
security standards of HIPAA.
6.10 Ust the major sections of the standards of the HIPAA Security Rule
and provide safeguard examples that apply to each section.
6.11 Discuss the difference between required and addressable
implementation specifications.
6.12 Explain why the 21 st Century Cu_
res Act is one of the most
significant acts regarding EHR use and exchange.
6.13 Discuss the purpose of the United States Core Data for
Interoperability (USCDI) and give examples of the data classes .
and data elements.
6-14 Define information blocking and give examples of what is and is
not considered information blocking.
A
s y~u have already learned, privacy and confi~entiality of health information ls a
maJor focus when implementing an electromc health record (EHR) system.
As a user of an EHR system, you must understand and follow the laws and
r~ations regarding privacy, safety, and security of health information. Federal legislation that revolutionized the release and security of health information includes the
liIPAA. Privacy and Security Rules published in 2000, which were subsequently
.
Updated in 2010 and 2013 . These rules provide guidance about the release and security
141
150
Chapter 6 Privacy, Security, and Legal Aspects of the EHR
of protected health information (PHI) as documented in paper health records
the release and security of identifiable EHR patient information, known as 1’as Weij as
protected health information (ePHI). In addition, there are procedures for s~ectroni~
health information that are not mandated by law but should be considered w~ding
en
implementing and using EHRs.
6.1 Health Insurance Portability and
Accountability Act of 1996
Locate a website
sponsored by the
US government, such
as https://EHR3
. Paradigm Education
. com/HIPAAindex, that
provides information
and resources regarding
HIPAA.
Figure 6.1
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was
enacted on August 21, 1996. HIPAA includes many provisions that affect all health.
care facilities. For example, HIPAA allows for health insurance to be “porrable”-in
other words, the insurance can be moved from one employer to another without denial
or restrictions. HIPAA mainly addresses the confidentiality of patients’ medical
records, including the safeguards that need to be implemented by a healthcare facility
to protect the privacy and security of patient information. In addition to setting
standards for health information privacy and security, HIPAA also addresses standards
to improve the efficiency and effectiveness of healthcare systems. For example, Sections
261-264, known as the Administrative Simplification Provisions, required the US
Department of Health and Human Services (HHS) to adopt national standards for
electronic healthcare transactions and code sets, unique health identifiers, and security.
To gain a broad picture of the tenets of HIPAA, see Figure 6.1. This chapter will
specifically focus on the HIPAA provisions for the electronic exchange, privacy, and
security of health information.
HIPAA Administrative Simplification Provisions
HIPAA
–
–,- – ~
• . ….1J
. …
. Act of 1996
Accountability
:’, > .
_ ,._..~=-‘
__ _and
Insurance
Health
_ _ _Portability
__
__
~
el
.
·_1,
Healthcare
access,
portability, ,
and
renewability
-‘
Preventing
healthcare
Medical 1
fraud and !
abuse
( Electronic
liability
refonn
cJ
o• ~hang~_a
2m.:J..J •
,T
6.2 HIPAA Privacy Rule
6.2 HIPAA Privacy Rule
EXPAND YOUR
LEARNING
In response to HIP~ legi~lation, the HHS secretary published the Privacy Rule in
December 2000, w_ith th~ m~ent to define prote~ted health information and the entities
d circumstances m which it may be used or disclosed by covered entities, which are
in the next section. HHS modified the HIPM Privacy, Security, and Enforcement
Rules in January 2013, to align with the provisions of the Health Information Technology
for Economic and Clinical Health (HITECH) Act, particularly with regard to EHRs.
Healthcare providers, health plans, and healthcare clearinghouses were required to be in
complete compliance with HIPM, including these modifications, by September 2013.
In December 2020, the Office for Civil Rights (OCR) and the HHS proposed
changes to the HIPM Privacy Rule to support individuals’ engagement in their care,
remove barriers to coordinated care, and reduce regulatory burdens on the health care
industry. Although these proposed changes to the HIPM Privacy Rule had not been
finalized at the time of publication, they are discussed in this chapter. See Figure 6.2
for a timeline of modifications to and expansions ofHIPM.
:fined
Covered Entities
The Privacy and Security Rules apply to healthcare providers, health plans, and healthcare
clearinghouses transmitting health information in an electronic format. These entities are
called covered entities (see Table 6.1). Individuals, organizations, and agencies meeting
the definition of a covered entity under HIPM must comply with the rules’ requirements to protect the privacy and security of health information, and they must provide
individuals with certain access rights with respect to their health information.
Table 6.1
Covered Entities
Healthcare Provider j Health Plan
The term healthcare
provider refers to a
provider who transmits
health information in an
electronic format and
includes the following
professionals and
organizations.
•
•
•
•
•
•
•
•
Physicians
Clinics
Psychologists
Dentists
Chiropractors
Nursing homes
Pharmacies
Hospitals
The term health plan
refers to the following
entities:
•
•
•
•
Health insurance
companies
Health maintenance
organizations
Company health
plans (some selfadministered company health plans
with fewer than 50
participants are not
covered)
Government
programs that pay
for health care,
such as Medicare,
Medicaid, and
military and veterans’ healthcare
programs
151
j Healthcare Clearinghouse
The term healthcare clearinghouse
refers to public or private entities,
including billing services, repricing
companies, community health
management information systems,
community health Information
systems, or value-added networks
and switches, that do either of the
following functions:
•
•
Process or facilitate the
processing of health information
received from another entity In a
nonstandard format or containing nonstandard data content
Into standard data elements or
a standard transaction
Receive a standard transaction
from another entity and process
or facilitate the processing of
health Information Into nonstandard format or nonstandard
data content for the receiving
entity
Toe Final HIPAA Privacy
Rule published on
December 28, 2000, can
be viewed at the following
website: https://EHR3
.Paradigm Education
.com/PrivacyRule.
Modifications made to
HIPM on January 25,
2013, can be viewed at
the following website:
http://EHR3
.ParadigmEducation
.com/HIPMModifications.
And the proposed
changes to the HIPM
Privacy Rule published on
December 10, 2020, can
be viewed at the following
website: https://EHR3
.ParadigmEducation.com/
HIPAAProposedChanges.
152
Chapter 6 Privacy, Security, and Legal Aspects of the EHR
Figure 6.2 HIPAA Timeline
HIPAA Time Line
I HIPAA signed into law.
US Department of Health &
Human Services (HHS)
becomes responsible for
developing privacy standards.
HHS proposes privacy
standards and receives more
than 50,000 comments on the
proposed standards.
December 2000
Enforcement of deadline
begins for covered entities to
comply with the Prtvacy Rule.
HHS publishes the Final Rule
for Standards for Privacy of
Individually Identifiable Health
Information, or the Final
HIPAA Privacy Rule.
April 2003
1
I
HHS publishes modifications to
the HIPAA Privacy, Security, and
Enforcement Rules to comply
with the provisions of the Health
Information Technology for
Economic and Clinical Health
(HITECH) Act This is known as
the HIPAA Omnibus Rnal Rule.
January 2013
HIPAA Code Set Rule: Effective
this date, the use of ICD-1 O
Onternational Classification of
Diseases) codes is mandatory.
October 2015
I
I
_ , •1
11
September 201 3
December 2020
Enforcement of deadline
begins for covered entities
to comply with the Security
Rule.
HIPAA Omnibus Final Rule
compliance is mandatory
for covered entitles,
and
business associates,
t,11 ‘
subcontractors. ·
The Office for Civil Rights
(OCR) and the HHS propose
changes to the HIPAA
Privacy Rule to support
Individuals’ engageme~t In to
their care, remove bam:ce
coordinated care, and ~
regulatory burdens on the
health care lndustrY,
6.2 HIPAA Privacy Rule
Business associates of a covered entity must also £ollo th p ·
.
.
w e nvacy an d Secunty
es
if
they
perform
services
for
the
covered
entity
involvi’ng
the
Rul
use or d’1sc1osure 0 f
individually identifiable health information.
Noncovered Entities
If an entity is not considered a covered entity, it does not have to comply with HIPAA
Privacy and Security Rules. Some examples of noncovered entities include workers’
compensation carriers, employer~, marketing firms, life insurance companies, pharmaceutical manufacturers, casualty msurance carriers, pharmacy benefit management
companies, and crime victim compensation programs.
Health Information and the Privacy Rule
Certain types of health information are classified under the HIPAA Privacy Rule.
These types include protected health information, individually identifiable health
information, and deidentified health information.
Protected Health Information
The Privacy Rule defines protected health information (PHI) as all individually
identifiable health information held or transmitted by a covered entity or its business
associate, in any form or medium, whether electronic, paper, or oral.
PHI is information, including demographic data, that identifies the individual, or
for which there is a reasonable basis to believe that the information can be used to
identify the individual, and that relates to at least one of the following:
• The individual’s past, present, or future physical or mental health condition
• The provision of health care to the individual
• The past, present, or future payment for the provision of health care to the
individual
There are 18 types of information that qualify as PHI according.to guidance from the
HHS Office of Civil Rights, which includes:
1. Name
2. Address
3. Any dates (except years that are directly related to the individual, such as
birth date)
4. Telephone number
5. Fax number
6. Social Security number
7. Medical record number
8. Health plan beneficiary
number
_,
I
I
.
…. .
~~
1(
lfi,
.
9. Account number
10. Ccnificacc/licensc
number
Your Social security number Is a type o common
.
153
154
Chapter 6 Privacy, Security, and Legal Aspects of the EHR
11. Vehicle identifiers
12. Device identifiers or serial numbers
13. Email address
14. Digital identifiers, such as website URLs
15. IP addresses
16.
Biometric elements, including finger, retinal, and voice prints
17. Full face photographic images
18. Other identifying numbers or codes
Deidentified Health Information
The term deidentified health information was first used and identified in the Pri
Rule and is health information that neither identifies an individual nor provides avacy
reasonable basis to identify an individual. Therefore, the Privacy Rule does not restrict
the use of deidentified health information. Healthcare staff primarily use deidentified
health information for summary purposes, as illustrated by the following scenarios:
•
The marketing department of a healthcare provider wants to know how many
patients are from each ZIP code.
•
A dentist’s office wants to know the number of patients who recently had a
cavity filled to determine if the office’s use of dental supplies is appropriate.
•
A home care agency wants to know the number of physical therapy home care visits
made last year to determine whether additional physical therapists should be hired.
Basic Principles of the Privacy Rule
A major purpose of the Privacy Rule is to define and limit the circumstances in which
an individual’s PHI may be used or disclosed by covered entities. A covered entity may
not use or disclose PHI except either (1) as the Privacy Rule permits or requires or
(2) as the individual who is the subject of the information (or the individual’s person~
·
·
representative) authorizes in writing.
Required Disclosures
A covered entity must disclose PHI in only two situations:
1. To an individual (or their per~onal representative), s~: ifically when heor
she requests access to, or an accounting of disclosures of, their PHI
nforce·
2. To HHS, specifically during a compliance investigation, review, ore
ment action
Permitted Disclosures
HIPAA regulations permit health information to be used and/or disclosed in tbe
following scenarios without a prior authorization sigrted by the patient:
•
To the individual patient
•
For treatment purposes
•
For payment purposes
6.2 HIPM Privacy Rule
•
For healthcare operat ions
•
Incide ntal to an otherw ise
permit ted use or disclosure
•
For public interes t and
benefit activities
4 4
I
–
– ~
• As a limited data set for
purposes of research, public
health, or healthcare
operations
To learn more about these
specific provisions for the disclosure
of health inform ation, refer to the
following sections.
~_P~tient is often asked to sign a HIPAA disclosure asking
if it 1s acceptable to release their health information in
certain situations.
Individual Patient A patien t has the right to view and receive a copy of
their
health
information. The covered entity must release the health inform
ation in the format
requested by the patien t (e.g., paper electronic storage device)
. As a result of the
HIPAA Omnib us Final Rule, patien ts also now have the right
to download and
transmit their health inform ation electronically.
TPO Clause Three types of permitted disclosures are commonly known
in the healthcare
indusny collectively as treatment, payment, healthcare operations
(fPO). When health
information managers, compliance officers, or administrators are
asked questions related to
the appropriate release of healthcare information and reply with,
“Yes, you can release the
health information under the TPO clause,” they are referring to
these permitted disclosures.
The treatm ent provision of the TPO clause applies to the applica
tion, coordination,
or management of health care and related services for an individ
ual by one or more
healthcare providers, includ ing consul tation among providers
regarding a patien t and
referral of a patien t by one provider to another.
HIPAA has made it easier and faster for providers to release inform
ation for
patient care purpos es because writte n patien t authorization is
not necessary. This
HIPAA provision is particu larly impor tant for EHRs, allowin
g healthcare practitioners
to obtain health inform ation within minute s or seconds. In compa
rison, a written
authorization could take hours or days.
•~———-
A teenage patient brought to the
emergency department (ED) of a
hospital drifts in and out of
consciousness. The ED physician
suspects an adverse event from a
medication the patient is taking or
a possible drug overdose. The ED
physician learns that the patient takes
medications that have been prescribed
by the patient’s primary care physician.
–
Because the patient’s EHR is
interoperable with the hospital’s EHR,
the ED physician is able to access the
medications prescribed for the patient.
How does permitted disclosure of health
information In the Privacy Rule allow the
patient to receive the necessary care?
What could happen if the patient needs
to wait while the hospital seeks
authorization to release her lnformatl
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
