A guide to common hipaa nomenclature university of miami ethics programs
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Speak HIPAA Like a Native PowerPoint PPT Presentation


  • 163 Views
  • Updated On :
  • Presentation posted in: General

A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs. Speak HIPAA Like a Native. “HIPAA”. Health Insurance Portability and Accountability Act of 1996 two main goals: making health insurance more portable when persons change employers

Related searches for Speak HIPAA Like a Native

Download Presentation

Speak HIPAA Like a Native

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


A guide to common hipaa nomenclature university of miami ethics programs

A Guide to Common HIPAA Nomenclature

University of Miami Ethics Programs

Speak HIPAA Like a Native


Speak hipaa like a native

“HIPAA”

  • Health Insurance Portability and Accountability Act of 1996

  • two main goals:

    • making health insurance more portable when persons change employers

    • making the health system more accountable – especially, reducing waste and fraud


Speak hipaa like a native

“administrative simplification”

  • promoting efficiency in the health care system, particularly by more use of computers

  • four “rules” that set standards for collection, use and disclosure of health information:

    • Transactions and Code Sets Rule

    • Identifier Rule (unique IDs for providers, plans, employers and, maybe, patients)

    • Security Rule (for electronic health information)

    • Privacy Rule (for all health information)


Speak hipaa like a native

“protected health information (PHI)”

  • HIPAA protections extend to any identifiable information related to the “past, present or future physical or mental health condition” of a person

  • “in any form or medium”

  • only adequately “de-identified information” is exempt:

    • information that contains no direct identifiers

    • it would be virtually impossible to identify from the indirect ones that remain


Speak hipaa like a native

“HIPAA rights”

  • HIPAA provides rights to patients for their PHI:

    • “access” – to see, get copy of one's records

    • “amendment” – to request correction, statement of disagreement when errors found

    • “accounting” – to get a list of (some of) the entities to which/whom one's record has been disclosed

    • for especially sensitive information, can request extra protections and/or confidential communications

    • to complain about, get resolution of, privacy problems


Speak hipaa like a native

“covered entities”

  • HIPAA protections for PHI put obligations on almost every organization that provides or pays for health care in the US:

    • health plans (health insurers, HMOs, etc.)

    • health care providers (that use electronic transactions)

    • health information clearinghouses (businesses that specialize in health data processing)


Speak hipaa like a native

“HIPAA obligations”

  • covered entities must have appropriate privacy and security policies, which include:

    • role-based rules on information use

    • training and sanctions to ensure that workforce practices follow policies


Speak hipaa like a native

“workforce” “workforce education”

  • obligations for a covered entity actually fall on its “workforce”

    • includes every employee, and every volunteer

  • every member of a covered entity's workforce must be educated

    • “as necessary and appropriate” to do his/her job


Speak hipaa like a native

“business associates”

  • companies that handle health information on a covered entity's behalf are also reached by HIPAA:

    • covered entities must enter into contracts with all business associates

    • limited obligation for covered entities to monitor business associates' practices


Speak hipaa like a native

“state preemption”

  • state laws that provide “more stringent” privacy protection remain in force:

    • HIPAA provides a floor of protections for everyone

    • state laws that are “more stringent” are not preempted by HIPAA

    • state laws relating to public health and health system oversight also remain in force


Speak hipaa like a native

“notice of privacy practices”

  • every patient will receive a Notice from their “direct treatment providers” informing them of:

    • their rights

      • access, correction, accounting, special protections and communications, and complaint processes

    • the covered entity's obligations for

      • appropriate privacy and security policies

      • workforce training in those policies

      • business associate monitoring


Speak hipaa like a native

“acknowledgment of notice”

  • “direct treatment providers” must make an effort to get written acknowledgment of receipt of the notice, from each patient:

    • the notice must also be posted in a facility, and copies must be available

    • acknowledgement process provides an opportunity for patients to discuss privacy issues with providers

  • health plans must also issue such notices periodically


Speak hipaa like a native

“treatment, payment, healthcare operations (TPO)”

  • acknowledgment constitutes permission for a broad range of “routine” transactions:

    • for any and all treatment needs

    • to secure payment for that treatment

    • for a very long list of other “health care operations”

  • “consent” is not required from patient for TPO


Speak hipaa like a native

“authorization”

  • patients must sign a written authorization for non-routine uses beyond TPO

    • certain kinds of fundraising, research, marketing

  • authorizations specify who is receiving protected information, for what purpose, and for how long

  • stricter state laws may impose additional authorization (or consent) requirements


Speak hipaa like a native

“agree or object”

  • for a few kinds of routine practices, only an opportunity for oral agreement (or objection) is required:

    • including patient's name and condition in a facility's “directory information”

    • discussions of patient's condition with immediate family members


Speak hipaa like a native

“no opportunity to agree or object”

  • a large number of disclosures can occur without patient permission, just as now:

    • for public health (reporting of diseases and conditions)

    • to report child abuse, neglect, domestic violence

    • for law enforcement investigations

    • for judicial or administrative proceedings

    • to avert a serious, immediate threat to public safety

    • for national security purposes


Speak hipaa like a native

“minimum necessary”

  • the most important general rule under HIPAA is that use and disclosure of patient's protected health information should be no more than necessary to get the job done:

    • the regulations acknowledge that “incidental uses and disclosures” inevitably happen

    • all that is required is “reasonable” effort by health care workforce to achieve minimum necessary


Speak hipaa like a native

“reasonable, appropriate security”

  • attention to technical, physical and administrative measures:

    • computer and communications protections, door locks and alarms, policies about information use

    • protections need only be “reasonable” for the circumstances, given costs and current technology

    • protections must also be appropriate to the kind and amount of information being protected


Speak hipaa like a native

“complaints of violations”

  • any patient may complain to the institution's “privacy officer” or to the US Department of Health and Human Services

    • institutions must respond promptly and take appropriate action as needed

  • workforce members may complain to privacy officer or DHHS:

    • with reasonable, good faith belief, and disclosing no more than necessary

    • no intimidating, retaliatory acts by covered entity


Speak hipaa like a native

“compliance date”

  • Privacy Rule

    • 14 April 2003 (large entities, >$5M annual revenues)

    • 14 April 2004 (small entities)

  • other Rules after that, over coming years

  • covered entities are already bound by applicable state health information laws


Speak hipaa like a native

“sanctions”

  • institutional reputation

    • loss of business, profits

  • employee suspension or termination

  • loss of license to practice

  • civil fines

  • criminal fines and imprisonment


Speak hipaa like a native

“HIPAA sanctions”

  • civil

    • $100 each violation, up to $25,000/person/year

    • liability if knew, or reasonably should have known, and no attempted cure

  • criminal

    • “knowing”: up to $50,000, 1 year in prison

    • “under false pretenses”: $100,000, 5 years

    • with “malice” or intent for “personal or commercial gain”: $250,000, 10 years


Speak hipaa like a native

This presentation may be re-used for non-commercial, educational purposes, with appropriate credit to the source. Any other use requires prior written permission. Information presented herein is believed to be correct at the time of posting. However, these materials are intended for education purposes only; they are not intended or represented as legal advice.UM Ethics Programs, PO Box 016960 (M-825), Miami FL 33101


  • Login