HIPAA
Course Content
- Welcome to ProHIPAA
- HIPAA Privacy and Rights and Protected Health Information
- HIPAA Breaches, Violations & Penalties and how to be Compliant
So what is Protected Health Information (otherwise known as PHI) and what must a covered entity do to keep it secure? Any health information that is Individually identifiable health information is considered PHI. In general, any part of a person's medical record or payment history is identifiable health information, and under HIPAA is Protected Health Information. PHI includes the following: Any information (past, present or future) about care provided, the physical health, or the mental health of an individual. Documentation of doctor's visits, charts, and notes made by physicians or other provider staff; Health care payments, coordination of health care benefits, Health care claim status, or claims attachments; Enrollment and disenrollment in a health plan, eligibility for a health plan, or even health plan premium payments You see, the HIPAA Privacy Rule covers all forms of PHI whether in electronic, paper, or oral format. The HIPAA privacy rule sets standards for how protected health information should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information. The HIPAA Security Rule covers electronic PHI. The HIPAA Security Rule establishes national standards to protect individuals' confidentiality, their integrity, and availability of electronic personal health information that is created, received, used, or maintained by a covered entity. For example: The Privacy and Security Rules allow covered health care providers to share PHI electronically (or in any other form) for treatment purposes, as long as they apply reasonable safeguards when doing so. Thus, for example, a physician may consult with another physician by e-mail about a patient's condition, or a health care provider may electronically exchange PHI to and through a health information organization (otherwise known as an HIO) for patient care. A covered entity needs to engage administrative, physical, and technical safeguards to protect information. A covered entity needs to perform a risk analysis to determine what measures need to be taken to reduce risks and vulnerabilities to a reasonable and appropriate level. Administrative safeguards include office rules and procedures that keep data secure. Covered entities should: Designate a security official who is responsible for developing and implementing its security policies and procedures. They should also determine who should be authorized to access PHI. Train all staff in security policies and procedures, and apply appropriate sanctions against workforce members who violate the policies and procedures. They should also perform a periodic assessment of how well the security policies and procedures meet the requirements of the Security Rule. An example of administrative security would be allowing only the office manager to send PHI in electronic form. Physical safeguards include: Limiting physical access to facilities while ensuring that authorized access is allowed. Implementing policies and procedures to specify proper use of and access to computers or the position of screens in patient areas. And have in place policies and procedures regarding the physical transfer, removal, disposal, and reuse of electronic media, like computer hard drives. An example of a physical safeguard would be keeping all patient files in a locked room that only specific authorized personnel have access to. Some technical safeguards include: Implementing hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use protected health information. Implementing policies and procedures to ensure that electronic measures are put in place to confirm protected health information is not improperly altered or destroyed. And implementing technical security measures that guard against unauthorized access to protected health information that is being transmitted over an electronic network. An example of a technical safeguard would be data encryption and using strong passwords to protect files from unauthorized access. The Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. However, no matter the size of a covered entity, whether a small dentist office or a large hospital with thousands of staff, the covered entity must have written privacy procedures. In general, a covered entity must secure patient records containing personally identifiable health information so that the information is not readily available to those who do not need it. Whether the PHI must be authorized for its use or does not need to be authorized, the covered entity must always release only as much information as necessary to address the specific need of the entity requesting the information. This is what the regulation refers to as the "minimum necessary" information to satisfy the inquiry.
Any health information that is Individually identifiable health information is considered Protected health information (PHI).