HIPAA Compliance

Learning Objectives

By the end of this module, you will be able to:

Explain what HIPAA is

Describe the purpose of HIPAA

Explain what HPI is (with examples)

Describe HIPAA violations (with examples)

What is HIPAA?
What is HIPAA

● HIPAA stands for “Health

Insurance Portability and
Accountability Act”.
● U.S. legislation to provide
data security and security
provisions for safeguarding
medical provisions.
The Purpose of HIPAA

1. To improve the overall efficiency of the

healthcare industry.
2. To improve the portability of health insurance.
3. To protect the privacy of patients and health plan
members.
4. To ensure that health information is kept secure
and patients are notified of breaches in their
health data.
The Purpose of HIPAA (continued)

5. Healthcare providers are required to protect

personal health information and keep it
confidential.
6. HIPAA sets limits and conditions on the use and
disclosure of this information without patient
authorization.
7. Patients have the right to obtain copies of their
own medical records and to request corrections
to them.
HIPAA Rules
HIPAA Privacy Rule

HIPAA defines the circumstances under which a person

may disclose or use Protected Health Information (PHI).

For the most part, the rule on patient privacy:

● Restricts the extent to which medical records
can be shared without explicit consent
● Allows patients and their next of kin
(representatives) to access their medical
records
● Requires a response for access/disclosure to
be responded to within 30 days of receiving
the request
HIPAA Security Rule

The HIPAA Security Rule sets out the minimum standards

for protecting electronic health information (ePHI).

The HIPAA Security Rule covers the following aspects:

● The organizations that may need to follow the
security rule and be deemed covered entities
● Safeguards, policies, and procedures that can
be put in place to meet HIPAA compliance
● Health care information that is under the
protection of the security rule

To put it simply, anyone who is part of the “business associate” or “covered entity” and can
access, alter, create, or transfer recorded ePHI will be required to follow these standards.
HIPAA Security Rule (continued)

A covered entity must take the following steps to ensure the

security of all ePHI they create, send, or receive:

● Ensure the confidentiality integrity and availability of

the PHI
● Protect again improper uses and disclosures of data
● Protect the ePHI against potential threats,
safeguarding their medical records
● Train employees so that they are aware of the
compliance factors of the security rule
● Adapt the policies and procedures to meet any
updates to the security rule
HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule states that the Department of

Health and Human Services must be informed as soon as possible
if there has been a data breach.

● Regardless of the nature of the breach, this must

be done within 60 days of its discovery.
● If a breach involves a person’s personal
information, that person must be notified within 60
days of the discovery of the breach.
● Alternatively, the “covered entity” may decide not
to send a breach notification if it can show that the
critical elements of the PHI have not been
compromised. A violation of privacy and security
rules would be warranted if they are found to have
been compromised.
HIPAA Breach Notification Rule (continued)

Reportable Breaches and Exceptions

A breach of PHI occurs when an organization uses or improperly discloses PHI.
However, they are only required to send alerts for PHI that is not encrypted. In
addition to this, there are 3 additional circumstances in which the breach notification
rule is more lenient, during such compliance violations and PHI breaches.

1. If it was unintentional or done in good faith, and was

within the scope of the authority
2. If it was done unintentionally between 2 people
permitted to access the PHI
3. If the organization has a good faith belief that the
person to whom the disclosure was made would not be
able to retain the PHI

Under such a case, the organization should ensure that such incidents don’t reoccur and
take corrective action plans. Breach alerts are required only for unsecured PHI.
What is PHI?
Protected Health Information (PHI)

What is PHI? In summary, PHI is any

information that can identify a
PHI includes: patient and is related to the
● Names
● Address & Phone/Fax numbers patient’s past, present, or future
● Date of Birth (DOB) physical or mental health
● Medical Record Number (MRN)
● Social Security Number (SSN)
condition.
● Employer Name
● Diagnosis, Medical History, Medications PHI should only be accessed if
● Surgical and other procedures
● Names of relatives and their employers you need to know for TPO
● Insurance/Health plan and billing records (treatment, payment, or
● Email address
● Photographs that would identify the patient
healthcare options).
Protected Health Information (PHI) (continued)

Protected
Health
Identifier Health
Information
Information
Who Can Access HPI?

Clinical staff, physicians, and employees.

● However, these individuals can only access this when there is a need to do
their job for TPO (treatment, payment, or healthcare options).
● Release of PHI for non-TPO or to access your family records is not permitted
without a signed authorization form.

Patient signed consent is required when:

● A patient requests a copy of their medical records
● A patient requests PHI to be sent to a 3rd party
● For fundraising
● Release of PHI to media or for public display
● Release of PHI to an attorney
HIPAA Compliance & Violations

How does this apply to you?

HIPAA Compliance

It is crucial that you follow HIPAA

compliances and that you do NOT
violate any of the established laws.

Failure to comply with HIPAA can result in

civil and/or criminal penalties including
fines up to $250,000 and/or prison
sentences of up to 10 years.
What is Considered a Breach of HIPAA

A “breach” of Protected Health Information

(PHI) is defined as the acquisition, use, or
disclosure of unsecured PHI in a manner not
permitted by HIPAA.

As a result, it poses a significant risk of

financial, reputational, or other harm to the
affected individual (the patient).
Examples of HIPAA Violations

● Associates disclosing information

○ Be mindful of your environment.
○ Restrict conversations about patients to private
places only.
○ Avoid sharing any patient information with
friends, family, and co-workers/colleagues.

● Mishandling of medical records

○ Printed medical records must be locked away
from the public’s view.

● Texting/emailing patient information

○ This potentially places patient data in the hands
of cyber or unwanted criminals/people who can
easily access this information.

● Lost or stolen devices

○ If PHI is stolen/lost via laptops, desktops, and/or
smartphones, this can result in fines.
Examples of HIPAA Violations (continued)

● Social media
○ Sharing photos and PHI of the patient on
Facebook, Linkedin, Instagram, Twitter, Tumblr,
etc.

● Employees illegally accessing files

○ Accessing patient files when they are not
authorized (out of curiosity, spite, as a favor to a
relative/friend.

● Authorization requirements
○ Written consent is required for the use or
disclosure of any individual’s PHI that is not used
for treatment, healthcare operations, or
permitted by the HIPAA privacy rule.
Do Your Part to Protect PHI

● Only access information during your assigned shifts and for your
assigned note(s).

● When accessing patient charts/audio recordings, work in a private

space with headphones.

● Do not access information outside of your work hours.

● Do not release PHI to friends, family, etc.
● Log off of your app when you’re not working.
● Promptly report any patient privacy incidents to your supervisor.
● Treat your patients’ information the way you would want your own
personal information treated.
Summary
Summary Highlights

HIPAA = Health Insurance

Portability & Accountability Act

HIPAA safeguards medical

provisions

PHI = Protected Health

Information

PHI includes any information that

can identify a patient

Work in a private area wearing

headphones
END OF MODULE

UP NEXT:
HIPAA Quiz