HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 1996

Presented by Dr.Amandeep Singh Matharu MBA Hospital Management Roll No. - 14160

What is HIPAA and Why Should You Care.?

The Health Insurance Portability and Accountability Act (HIPAA) is a law designed to improve the efficiency and effectiveness of the health care system. HIPAA directly affects clinical work and the operations of any facility. Understanding HIPAA prepares you to step into health organizations with a clear understanding of complying with requirements for respecting the privacy of protected health information (PHI).

HIPPOCRATIC OATH Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets.
Oath of Hippocrates, 4th century, BC

Health Insurance Portability and Accountability Act of 1996 (HIPAA) amended the Internal Revenue Code of 1986

To improve portability and continuity of health insurance coverage in the group and individual markets; To combat waste, fraud, and abuse in health insurance and health care delivery; To promote the use of medical savings accounts; To improve access to long term care services and coverage; To simplify the administration of health insurance.

HIPAA - The first federal law that governs the privacy of health information.

CONFIDENTIALITY OF INFORMATION AND HIPAA PROVISIONS

Any information communicated by a patient to a health care provider is privileged communication. is private. PATIENTS HAVE RIGHT TO CONFIDENTIALITY HIPAA privacy and security provisions Right of privacy. Security safeguards to ensure that facilities, equipment, and patient information are safe from damage, loss, tampering, theft or unauthorized access.

HIPAA LEGISLATIONS
HIPAA legislation were organized according to five titles:Title I Health Care Access, Portability, and Renewability Title II Preventing Health Care Fraud and Abuse,Administrative Simplification, and Medical Liability Reform Title III Tax-Related Health Provisions Title IV Application and Enforcement of Group Health Plan Requirements Title V Revenue Offsets

PROTECTED HEALTH INFORMATION

It is the information identifiable to an individual (or individual identifiers) - name, - address, - telephone numbers, - date of birth, - Medicaid ID number - other medical record numbers, - social security number (SSN), - name of employer.

HIPAA PRIVACY RULES

HIPAA provisions protect the security and confidentiality of health information. HIPAA privacy standards protect the confidentiality of health information maintained or transmitted electronically. The rule mandates compliance by private and public sector organizations.

HIPAA PRIVACY RULES

PATIENT RIGHTS

Patient education on privacy protections Re Disclosure of PHI Patient access to their records Disclosures to business associates Patient care and notification Disclosures about deceased patients Limited uses and disclosures when the patient is not available Obtaining patient authorization before information is disclosed

Recourse if privacy protections are violated

Patient's have the right to file a formal complaint with a covered entity, when violations of privacy protections occur.

HIPAA SECURITY RULES

HIPAA security rule was published on February 20,2003. It adopts standards and safeguards to protect health information that is collected, maintained,used, or transmitted electronically. There are three categories of standards and specifications1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards

ADMINISTRATIVE SAFEGUARDS
Healthcare organizations must adopt a written set of privacy procedures. Designate a privacy officer responsible for developing and implementing all policies and procedures. Clearly identify employees who will have access to electronic protected health information (EPHI). An ongoing training program regarding the handling of PHI for employees. Organizations should ensure third party vendors comply with HIPAA requirements.. Internal audits play a key role in HIPAA compliance by reviewing operations.Audits should be both routine and event-based. Organization should document instructions for addressing and responding to security breaches that are identified. A contingency plan should be in place for responding to emergencies.

PHYSICAL SAFEGUARDS

Controls must govern the introduction and removal of hardware and software from the network. Access to equipment containing health information should be carefully controlled and monitored. Access to hardware and software must be limited to properly authorized individuals. Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts. Policies are required to address proper workstation use.

TECHNICAL SAFEGUARDS

Information systems housing PHI must be protected from intrusion. Healthcare organization must ensure that the data within its systems has not been changed or erased in an unauthorized manner. Digital signature may be used to ensure data integrity. Organizations must also authenticate entities with which they communicate. Organizations must make documentation of their HIPAA practices available to the government to determine compliance. Documented risk analysis and risk management programs are required.

SECURITY RULE PROVISIONS

security provisions include following policies and procedures: Define authorized users of patient information to control access Implement a tracking procedure to sign out records to authorized personnel Limit record storage access to authorized users Lock record storage areas at all times Require that the original medical record remain in the facility at all times.

EFFECT OF HIPAA ON RESEARCH AND CLINICAL CARE

Effects on research

HIPAA restrictions have affected the ability to perform retrospective, chart-based research as well as to prospectively evaluate patients by contacting them for follow-up. Informed consent forms for research now include extensive detail which made already complex documents even less user-friendly for patients who are asked to read and sign them.

Effects on clinical care

The complexity of HIPAA, combined with potentially stiff penalties for violators, lead physicians and medical centers to withhold information from those who have a right to it.

CLINICAL RESEARCH IS UNIQUELY AFFECTED BY HIPAA

Specific methods to allow PHI to be used or disclosed for research purposes: All data are de-identified (according to the specific standards of the Privacy Rule). A limited data set is collected and released. A patient gives a written authorization that his or her data may be used and/or disclosed. Data are collected for preparatory work for research purposes only (according to the specific standards of the Privacy Rule). Special provisions are in place for research on a decedents PHI.

AUTHORIZATION TO DISCLOSE PHI

Is Not Required
Public health activities Law enforcement purposes Judicial and administrative proceedings Identification and location purposes Decedents Research purposes Food & Drug Administration (FDA) Specialized government functions. Workers compensation

AUTHORIZATION TO DISCLOSE PHI

Is Required

Attorney requests. Employers (except when PHI is released to report work-related illnesses or injuries). Government agencies. Health care providers that did not render care to the patient. HIV-related information.

PATIENTS ACCESS TO RECORDS

An individual has the right to access his or her own protected health information (PHI) for the purpose of inspection and to obtain a copy, except for the following: Psychotherapy notes. Information compiled for use in a civil, criminal, or administrative action. PHI maintained by a covered entity that is subject to the Clinical Laboratory Improvements.

HIPPA rules are not a barrier to good care.!

The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Staff is free to communicate as required for quick, effective, and high-quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures.