Note: Your progress in watching these videos WILL NOT be tracked. These training videos are the same videos you will experience when you take the full ProHIPAA program. You may begin the training for free at any time to start officially tracking your progress toward your certificate of completion.
This lesson is all about learning some important definitions to better help you understand HIPAA terminology. There will, of course, be a little repetition.
Health Insurance Portability and Accountability Act of 1996.
Health Information Technology for Economic and Clinical Health Act of 2009.
Pro Tip #1: The goal of HITECH is to promote the adoption and meaningful use of health information technology and significantly expand the HIPAA privacy rule and security standards as new requirements concerning privacy and security of PHI are enacted.
Protected Health Information (patients’ personal and medical information).
Electronic Protected Health Information.
This includes all personal health information that is stored, and/or transmitted, electronically. Common examples of ePHI include:
Whether the health information is being stored or transmitted, it must be encrypted first.
Any person or organization that supports the healthcare industry in some fashion and performs functions and activities in support of a covered entity.
Per HITECH regulations, business associates are now legally required to be compliant with the HITECH Act. This includes assuming financial liability for any and all data breaches caused by their organization or employees.
All business associates are required to have:
A set of government mandated questions to help organizations identify gaps in risk, to their organization and to the covered entities they serve. This includes a risk report with a road map to resolving any potential problems.
There are three sections on a risk assessment along with three types of questions.
Standard questions measure a covered entity to ensure confidentiality, integrity, and availability of ePHI, while in the custody and care of covered entities and/or business associates.
Pro Tip #2: Covered entities and business associates must comply with the applicable standards provided in the Security Rule with respect to all ePHI.
Required questions are those that must be implemented by covered entities and/or business associates.
Addressable questions, while not optional, do provide covered entities some additional flexibility with respect to compliance with the security standard.
All organizations must determine their level of risk to PHI. If a risk is deemed reasonable, appropriate security measures will need to be applied.
The Book of Evidence is a customized book of policies and procedures that all organizations are required to create. The Book of Evidence illustrates how that organization handles all PHI and ePHI. This includes:
A privacy policy explains how covered entities and business associates handle PHI. All covered entities are required by law to provide patients with a copy of their privacy policy upon request.
Business associates must also be able to provide their privacy policies to both internal employees and external companies – also known as downstream suppliers – and for government audits.
The disposal of all protected health information (PHI) comes with its own set of requirements set forth by the HIPAA Privacy and Security Rules. These are steps that covered entities take when they dispose of PHI.
Health and Human Services encourages all covered entities to consider the steps that other prudent healthcare organizations and health information professionals are taking to protect patient privacy in connection with record disposal.