Mitigating risks and practical business practice
- Addressing HIPAA privacy is a matter of mitigating risk and practical business practice.
- Risk increases as an organization moves beyond core treatment/ payment/operations (TPO) that are outside the organization.
Privacy vs. Security
Key Definitions & Principles:
- Privacy = rules for accessing information
- Security = processes and mechanisms for protecting information
Biggest Myth:Good Security = Technology
- Technical measures alone will be insufficient
Reality: a good security program requires a solid “Confidentiality Culture”
- This takes time to develop, especially if current confidentiality awareness is low
In addition, HIPAA will require good documentation of practices
Intent of HIPAA Privacy and Security Standards:
Maintain reasonable and appropriate operational, technical and physical safeguards that:
- Ensure confidentiality and integrity of information provided to authorized staff
- Prevent unauthorized use or disclosures
- Protect against external threats and physical hazards
- Are intended to protect against both external and internal threats
Privacy Scope of Impact
- Covers Individually Identifiable Health information maintained or transmitted by covered entities in any form, includes electronic, paper and oral
- Applies only to the "covered entities" defined under HIPAA
- Covered entities must have "reasonable and appropriate" administrative and technical safeguards
- Makes use and exchange of Protected Health Information (PHI) easy for health care purposes, difficult for non-health care purposes
- Minimum necessary use or disclosure
- Sphere of privacy protection extended to business associates
- A business associate includes but is not limited to one who either provides services on behalf of the covered entity or to the covered entity. Includes contractors, lawyers, auditors, consultants, other health care organizations and billing firms.
HIPAA has defined strong privacy and security requirements to protect Individually Identifiable Health Information.
- Patients can require an accounting of any individually identifiable health information uses and disclosures, except for treatment and payment
- Patients have the right to see and copy their own health information, including documentation of who has had access to this information
Patients are given the right to request amendments or corrections to the health information if it’s incorrect or incomplete
- Application of privacy protections apply to all medical records and other individually identifiable health information held by a covered entity whether communicated electronically, on paper or orally.
- Health plans and providers maintain administrative and physical safeguards; the security rules support the privacy rules.
- Covered entities have contracts with their business associates that require the appropriate safeguarding of Protected Health Information (PHI).
- Any inconsistent state or federal law offering more stringent protection and/or technological requirements must be followed.
Health Plans and Providers must:
- Designate a privacy official
- Provide ongoing privacy training to staff
- Establish and maintain a means for individuals to lodge complaints
- Settle or resolve complaints
- Implement safeguards to protect health information from any misuse
Question to Consider
Health Plans and Providers must:
- Where is Protected Health Information (PHI) being used at your facility and by whom?
- To whom is PHI being disclosed and how?
- Have you created an inventory of all individuals and entities with which you share PHI?
- Do you have a centralized release-of-information function to respond to all requests for PHI?
- Do your staff members need to review PHI maintained at other organizations to perform their jobs?
- Do you currently have a documented policy and/or procedure that addresses management of confidential health information?