HIPAA

Aka: HIPAA, Health Insurance Portability and Accountability Act, Health Information Privacy, Patient Data Privacy, HIPAA Limited Data Set

advertisement

II. Definition: Security Rules

  1. HIPAA Security Rule Proposed (1998)
    1. HIPAA security rules must be adhered to when transmitting medical data over telecommunications networks
    2. Ensure confidentiality, integrity and availability of all protected health information (e-PHI)
    3. Identify and protect against reasonably anticipated threats to security or integrity of information
    4. Protect against reasonably anticipated impermissable uses or disclosures
    5. Ensure workforce compliance (typically in conjunction with the organization's general counsel)
  2. HIPAA Security - Final Rule (2003)
    1. Specifically sets standards for administrative, physical and technical safeguards

III. Definition: Privacy Rules

  1. HIPAA Privacy Rule
    1. Federal protections related to individually identifiable patient health information
    2. Allows for disclosure of health information when needed for patient care and related important uses
      1. Medical providers may discuss patient with other providers caring for patient (consultants, pharmacists...)
      2. Immunization information may be released with verbal consent by patient or parent
    3. Healthcare providers are not covered by HIPAA if they do NOT transmit health information electronically
  2. HIPAA Limited Data Set
    1. Clinical data set that conforms to HIPAA definition may be shared with another institution that agrees to the same guidelines
    2. May contain dates of diagnosis, even sensitive diagnoses such as HIV Test results
    3. Defined in 45 CFR 164.514(e) of the HIPAA Privacy Rule
      1. http://www.dshs.wa.gov/pdf/ms/rda/hrrs/HIPAALimitedDataSets.pdf
    4. Must exclude identifying information (about the patient, family members, housemates, employers)
      1. Names
      2. Address (except for town, city, state, zip code)
      3. Phone or fax numbers
      4. Social security numbers, medical record numbers or health plan beneficiary numbers
      5. Account numbers or license/certificate numbers
      6. Vehicle identifiers, serial numbers or license plate numbers
      7. Web URLs or IP Addresses
      8. Biometrics (e.g. finger or voice prints)
      9. Photographs identifying the patient (e.g. face)

IV. History

  1. 1995-1996
    1. HIPAA Privacy Act first passed in U.S. (Kennedy-Kassebaum Bill)
    2. Key legislation focus was initially insurance regulation (e.g. reduced denial based on pre-existing conditions, portability across jobs)
  2. 2009 American Recovery and Reinvestment Act (ARRA) related changes to HIPAA
    1. Addressed additional data restrictions, disclosures (e.g. security breaches), protected health information sales and reporting requirements
    2. Business associates are held to same HIPAA standards as health organizations
      1. Update Business Associate Agreements (BAA) to document policies and procedures to protect patient data
      2. In case of data security breach, business associates must notify the affected entities and Health and Human Services
  3. 2013 HIPAA Final Rule
    1. Patient information on mobile devices must be secured with a strong password
    2. Patient data and messages must be encrypted
    3. Patients may restrict insurers from being notified of their cash purchases
    4. Patients may request electronic copies of their records
    5. Electronic claim transactions must be standardized

V. Legal: Disclosure rules

  1. Patient alert with intact Decision-Making Capacity
    1. Patient has right to agree or to object to release of information to others
    2. There is no "implied" authorization of public health information under HIPAA
  2. Patient Visitors
    1. Protected information does not apply (no restriction on disclosure about the visitor)
  3. Dangerous patient
    1. Serious, imminent health and safety threat to an individual or to the public
    2. Suicidality or other serious mental illness interfering with Decision-Making Capacity
  4. Emergency in which person unable to provide consent
    1. Disclosure may be performed in best interest of patient
    2. Informal consent to family or friends as to relate care or payment for care
    3. Notification of patient location, status or death to family or others responsible for patient's care
    4. Entities related to active disaster relief
  5. Attorney
    1. Requires signed release of information by patient
  6. Law enforcement
    1. Requires signed release of information by patient or power of attorney or a court order (or similar authorization)
    2. Release may be warranted where directly applicable to criminal investigation (discuss with organization attorneys)
      1. Required by law such as court order, warrant, subpoena
      2. Location of suspect, fugitive, witness or missing person
      3. Victim of a crime (or suspected victim)
      4. Patient death if that death is suspected to be related to a crime
      5. Health information is thought to be evidence of a crime that occurred on health facility premises
      6. Medical emergency related to a crime
  7. Press
    1. Requires signed release of information by patient
  8. Public Health Department or other similar federal agency protecting public health and safety
    1. Information to prevent or control disease, injury or Disability (e.g. Sexually Transmitted Disease)
    2. Child Abuse or neglect
    3. Seizure Disorder, Epilepsy, hypoglycemic episode or other event resulting in Impaired Driving risk
  9. FDA
    1. Adverse event reporting
    2. Product tracking, recalls and surveillance
  10. Individuals
    1. May be notified of exposure to communicable disease
  11. Employers
    1. Work-Related Illness or injury as it applies to workplace health and safety
  12. Health care facility
    1. Health information as it relates to treatment, payment and operations related activity
    2. Health information as it relates to provider or other facility quality, competency, fraud, abuse, compliance regarding a specific mutual patient

VI. Precautions: Secure Patient Communication

  1. HIPAA Security rule requires that covered entities perform a risk analysis to decide which forms of Patient Communication are acceptable
  2. Secure messaging via a patient portal or encrypted email may be preferred
  3. Unencrypted email is not excluded, but additional precautions should be taken, and patient's may refuse this mode of communication
  4. Text messaging is not defined by the current HIPAA regulations as of 2014, but may be at increased risk of interception
  5. Direct Project is working on standards to securely send health information directly to recipients
    1. http://directproject.org/content.php?key=overview

VII. Resources

  1. Summary of the HIPAA Privacy Rule (2003)
    1. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

VIII. References

  1. (2013) Presc Lett 20(8): 48

Images: Related links to external sites (from Bing)

These images are a random sampling from a Bing search on the term "HIPAA." Click on the image (or right click) to open the source website in a new browser window. Search Bing for all related images

Related Studies

Ontology: Privacy of Patient Data (C0030684)

Concepts Idea or Concept (T078)
MSH D003219
English Data Privacy, Patient, Patient Data Privacy, Privacy, Patient Data, Privacy of Patient Data
Spanish Privacidad de la Información del Paciente, Privacidad de los Datos del Paciente
French Confidentialité des données médicales, Confidentialité des données du patient
German Vertraulichkeit von Patientendaten, Patientendaten, vertrauliche, Patientendatenschutz
Czech důvěrnost informací o pacientech, důvěrnost údajů o zdravotním stavu, pacienti - důvěrnost dat
Italian Riservatezza dei dati del paziente
Norwegian Fortrolighet av pasientinformasjon
Dutch Patiëntgegevens, geheimhouding, Patiëntgegevens, privacy van
Portuguese Privacidade dos Dados do Paciente
Derived from the NIH UMLS (Unified Medical Language System)

Ontology: Health Insurance Portability and Accountability Act (C0600593)

Definition (MSH) Public Law 104-91 enacted in 1996, was designed to improve the efficiency and effectiveness of the healthcare system, protect health insurance coverage for workers and their families, and to protect individual personal health information.
Definition (NCI) Public Law 104-91, enacted in 1996, is designed to protect health insurance coverage for workers and their families when they change or lose their jobs. HIPAA has separate provisions for the large and small group markets, and the individual market. HIPAA amends the Employee Retirement Income Security Act (ERISA), the Public Health Service Act, and the Internal Revenue Code to provide improved portability and continuity of health insurance coverage, extending earlier provisions under the Consolidated Omnibus Budget Reconciliation Act of 1985 ("COBRA").(MeSH)
Definition (NCI_NCI-GLOSS) A 1996 U.S. law that allows workers and their families to keep their health insurance when they change or lose their jobs. The law also includes standards for setting up secure electronic health records and to protect the privacy of a person's health information and to keep it from being misused.
Concepts Regulation or Law (T089)
MSH D020408
Swedish Sjukvårdsförsäkrings portabilitet
English PUBLIC LAW 104 191, PL 104 191, Public Law 104 191, Public Law 104-191, PL 104-191, PL104 191, PL104-191, Health Insurance Portability and Accountability Act, Kassebaum Kennedy Act, Kennedy Kassebaum Act, HIPAA, health insurance portability and accountability act (HIPAA), hipaa, United States Health Insurance Portability and Accountability Act
Czech zákon o převoditelnosti a povinném vyúčtování zdravotního pojištění (USA), Kassebaum Kennedy Act
Finnish Health Insurance Portability and Accountability Act (US)
Russian STRAKHOVANIIA MEDITSINSKOI POMOSHCHI AKTY, СТРАХОВАНИЯ МЕДИЦИНСКОЙ ПОМОЩИ АКТЫ
Italian Health Insurance Portability and Accountability Act (U.S.), United States Health Insurance Portability and Accountability Act, Kassebaum Kennedy Act (U.S.), HIPAA (U.S.)
German PL 104 191, PUBLIC LAW 104 191, HIPAA, Health Insurance Portability and Accountability Act, Kassebaum Kennedy Act, Kennedy Kassebaum Act, PL 104-191, Public Law 104-191, United States Health Insurance Portability and Accountability Act
French Loi HIPAA (USA), HIPAA (USA), Kassebaum Kennedy Act (USA), Public Law 104-191 (USA), Loi Kassebaum Kennedy (USA), PL 104-191 (USA), PL104-191 (USA), Loi sur la transférabilité des régimes d'assurance-santé et l'imputabilité aux États-Unis, Health insurance portability and accountability act (USA), Loi sur les droits et la protection des salariés et de leurs ayants droit dans les régimes collectifs de santé, Loi sur les droits et la protection des salariés et des bénéficiaires dans les régimes collectifs de santé, Loi sur la portabilité et l'imputabilité des régimes de santé aux États-Unis
Polish Prawo do ubezpieczenia społecznego USA
Norwegian Health Insurance Portability and Accountability Act, Lov om helseforsikringers overførbarhet og ansvar, USA
Dutch HIPAA, Health Insurance Portability and Accountability Act, Kassebaum-Kennedy-Act, Kennedy-Kassebaum-Act, PL 104-191, Public Law 104-191, United States Health Insurance Portability and Accountability Act
Portuguese HIPAA, PL 104-191, Health Insurance Portability and Accountability Act, Kassebaum Kennedy Act, Kennedy Kassebaum Act, Lei Pública 104-191 (EUA), United States Health Insurance Portability and Accountability Act
Spanish HIPAA, PL 104-191, Health Insurance Portability and Accountability Act, Kassebaum Kennedy Act, Kennedy Kassebaum Act, United States Health Insurance Portability and Accountability Act, Ley Pública 104-191
Derived from the NIH UMLS (Unified Medical Language System)

Related Topics in Healthcare

advertisement

2025 Family Practice Notebook, LLC. Terms | Privacy | About | Site Map | Newsletter | Blog

Footer Site Logo