1 / 22

Privacy and Security Within the Electronic Health Record

Privacy and Security Within the Electronic Health Record. Laurie Rinehart-Thompson, JD, RHIA, CHP, FAHIMA Professor – Health Information Management and Systems Laurie.rinehart-thompson@osumc.edu. Learning Objectives. Identify the individuals, organizations and information covered by HIPAA

leonardok
Download Presentation

Privacy and Security Within the Electronic Health Record

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security Within the Electronic Health Record Laurie Rinehart-Thompson, JD, RHIA, CHP, FAHIMA Professor – Health Information Management and Systems Laurie.rinehart-thompson@osumc.edu

  2. Learning Objectives • Identify the individuals, organizations and information covered by HIPAA • Apply the HIPAA Privacy Rule’s authorization requirements to uses and disclosures of health information • Explain the HIPAA Privacy Rule’s individual rights • Identify the HIPAA Security Rule’s physical, technical and administrative safeguards • Describe security threats to electronic health information and identify breaches in the EMR • Explain risk analysis and business continuity concepts as they relate to electronic health information

  3. HIPAA (Health Insurance Portability and Accountability Act of 1996)

  4. WHO does HIPAA apply to?

  5. WHAT is protected health information? (PHI)

  6. WHAT is protected health information? (PHI) • Consider #1 of the three-part test: How do we know if we can identify a person from the information? • It actually identifies the person (eg, Robert Smith) • Or there is a reasonable basis to believe the person can be identified from the information • This might be through expert determination or when any of 18 identifiers are present in the information. • This includes items such as dates of admission or discharge, or a person’s birth or death date – but can also be items like social security number, email address or medical record number

  7. What information is NOT PHI?

  8. Identifying PHI • “A 67-year-old male who underwent a hernia repair.” • A hospital possesses this information • “A 92-year-old patient resides in Anytown, Ohio.” • Dr. Jones’ dental practice possesses this information • Anytown’s population is 6,000.

  9. Authorization to Use PHI • Authorization: A patient’s signed agreement to a specific use or disclosure of PHI. • An authorization must contain specific elements to be valid. • The general rule per HIPAA is that, for PHI to be used or disclosed, an authorization is required. However, there are many exceptions.

  10. When is an authorization not required? • There are 18 different exceptions, but they include situations such as: • Reporting infectious disease data for public health monitoring • For certain law enforcement uses such as locating a fugitive • For national security purposes • To report situations that involve abuse, neglect, or domestic violence • To support a workers’ compensation claim

  11. HIPAA Individual Rights

  12. Applying HIPAA Individual Rights • Mrs. Smith is upset to find that the physician has listed type I diabetes as a diagnosis in the EMR. Does Mrs. Smith have any rights regarding this diagnosis, which she believes is incorrect? What can Mrs. Smith do, and which individual right does this exemplify? • Mr. Baker wants a copy of his record. Must he sign an authorization to receive it? What individual right does this exemplify?

  13. The HIPAA Security Rule

  14. Security Threats to Health Information

  15. Security Threats to Health Information

  16. Activity #1

  17. Activity #2

  18. Risk Analysis • The HIPAA Security Rule’s administrative safeguards require a risk analysis, which entails: • System characterization • Threat identification • Identifying vulnerabilities • Control assessment • Likelihood determination • Impact analysis • Risk determination • Control recommendations • Results documentation

  19. Business Continuity

  20. Summary • Identify the individuals, organizations and information covered by HIPAA • Apply the HIPAA Privacy Rule’s authorization requirements • Explain the HIPAA Privacy Rule’s individual rights • Identify the HIPAA Security Rule’s physical, technical and administrative safeguards • Describe security threats to electronic health information and identify breaches in the EMR • Explain risk analysis and business continuity concepts as they relate to electronic health information

  21. Conclusion • Thank you for reviewing the module within IHIS Learn. After completing the exercises associated with this module within the IHIS Learn environment, please return to Carmen to complete the required end-of-module survey before the deadline specified in Carmen. Through this survey you will provide feedback about your experience with the learning module and answer some questions to gauge your knowledge after completing the module. • If you have any questions about the module content, please contact me at: laurie.rinehart-thompson@osumc.edu

  22. Reference • Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification. 45 CFR Parts 160 and 164. 2013.

More Related