Documente Academic
Documente Profesional
Documente Cultură
2018 Update:
HIPAA Basics
May 2018
1
NTS: A Position of Trust
• Patient information is highly sensitive and confidential
• Trust - a key component of healthcare delivery
• Role of the federal Health Insurance Portability &
Accountability Act (HIPAA)
• Patient information also protected by state laws
• If state law is more restrictive than HIPAA, we must follow the
state law
At NTS, we occupy a position of trust in the US healthcare system. To do our work,
we have access to patients’ most sensitive information – their health information.
For the healthcare system to operate effectively, patients must have confidence that
the privacy of their information will be respected. In the United States, the federal
Health Insurance Portability and Accountability Act, known as HIPAA, was created to
provide privacy and security for patient health information, among other purposes.
Patient health information is also protected by state laws. If state laws are more
restrictive than HIPAA, Nuance must comply with the state laws.
2
What Types of Information Does
HIPAA Protect?
HIPAA protects “Protected Health Information” (PHI)
PHI includes:
Any information relating to a person’s health
Any part of a medical record
Any medical payment history
HIPAA protects individually identifiable health information held or transmitted by a
healthcare provider, a health plan, or any contractor such as NTS that provides
services to a provider or plan. HIPAA calls this information “protected health
information” or “PHI.” Individually identifiable health information is information,
including patient demographics, that relates to:
• The individual’s past, present, or future physical or mental health or condition,
• The delivery of health care to the individual, or
• The past, present, or future payment for the provision of health care to the
individual.
If there is a reasonable basis to believe that a piece of information can be used to
identify the individual, it would be protected. For example, a medical record,
laboratory report, or hospital bill would be PHI.
3
Examples of Protected Health Information
Patient Name Vehicle Identifiers
Patient Address Device Identifiers and Serial
Medical Diagnosis Numbers
Medical Treatment URLs
Dates – DOB, DOS, DOD IP Address Numbers
Telephone Numbers Biometric Identifiers
Fax Numbers Full Face Photographic Images
Email Addresses
Social Security Numbers
Medical Record Numbers
Health Plan Beneficiary Numbers
Account Numbers
Certificate/License Number
Almost all of the dictations, transcriptions and metadata that NTS handles on behalf
of its customers will constitute PHI. This includes diagnosis, treatment, and all of the
different identifying elements you can see on this slide. In addition, Nuance’s
contract with the customer will generally require us to protect ALL of the data we
handle on behalf of the customer and keep it confidential and secure. The bottom
line is – you should treat all of the patient information and data you handle as if it is
PHI.
4
Is this PHI?
Even a person’s name can be PHI if associated with a health issue. For example, the
fact that a person is a patient of a hospital is PHI. The example above shows an
envelope naming Jane Doe as a patient at Mercy Hospital –
5
Our Principal HIPAA Obligations
A business associate’s principal obligations with respect to PHI can be
summarized as:
• Permitted Uses Only:
• Use PHI to provide customer service, but only the minimum
necessary
• Confidentiality: Keep PHI confidential
• Security: Keep PHI secure
• Incidents and Breaches: Notify promptly
• Integrity and Availability: Keep PHI accurate and available
HIPAA sets out rules for how covered entities, such as hospitals and doctors, and
business associates acting on their behalf, may use PHI. For example, they may use
PHI to provide care to a patient and to operate the hospital and the medical practice.
HIPAA also sets out rules for how covered entities and business associates must
establish reasonable security. These requirements can be summarized as: Permitted
Use Only, Confidentiality, Security, Integrity and Availability.
6
Who is Responsible for HIPAA?
In the healthcare industry, you will often hear some common HIPAA terms, such as
PHI, “covered entity”, and “business associate”. Covered Entities include hospitals,
insurance companies, clinics, self‐insured employers, and small physician practices.
Business Associates include any person or business, other than a member of the
covered entity’s own workforce, that performs services for a covered entity and in
doing so processes patient information on behalf of a covered entity. NTS is a
business associate of its covered entity customers. A Covered Entity is allowed to
provide PHI to a business associate like NTS so that NTS can provide services to the
Covered Entity. To protect the PHI, the Covered Entity and the Business Associate
enter into a special contract called a Business Associate Agreement.
7
Business Associate Responsibilities
– Subject to HIPAA penalties
– Employee of business
associates (NTS) can be held
liable for criminal theft of PHI,
or snooping of PHI
As a business associate, NTS is directly subject to HIPAA. This means that NTS is
subject to HIPAA penalties, including fines that can total many millions of dollars. In
addition, if NTS violates HIPAA, it will also generally be liable to the covered entity
customer for damages for breach of the Business Associate Agreement. In some
circumstances, such as a criminal theft of PHI or snooping in PHI, an individual
employee could be subject to HIPAA penalties or even imprisonment.
8
PHI: Strictly Confidential
As a business associate, NTS must:
Keep all PHI strictly confidential
Use reasonable security measures to protect
the confidentiality of PHI
Not disclose PHI to anyone except:
Others within NTS, but only if needed to
perform services for the customer
To the customer, when we deliver
transcribed reports or if needed to solve
customer problems.
PHI must be kept strictly confidential. NTS has adopted security policies, procedures
and technologies to protect PHI and to help you to protect PHI as well. You must
follow NTS’ policies and procedures to make sure we keep our customer’s trust and
keep PHI confidential and secure.
When using or disclosing PHI we must try to limit our use and disclosure as much as
possible. Here at Nuance Transcription Services, we only use PHI to do our jobs. This
includes viewing and processing PHI, including the patient name, account/visit
number, medical record number, date of birth, and medical report, as needed to
provide transcription services to our customers. Sometimes, NTS personnel need to
view past reports on patients. This is allowed if it is necessary to provide
service to our customers, although we should always limit the amount of
information accessed as much as is practical.
9
Integrity and Availability of PHI
As well as protecting
confidentiality, NTS must adopt
safeguards to protect:
As well as protecting confidentiality of PHI, HIPAA is designed to make sure
that PHI remains available to healthcare providers so that it can be used for
treatment. Also, covered entities and business associates must ensure that
PHI retains its integrity – meaning that we must ensure that PHI has not
become corrupted or otherwise erroneous.
10
Security Procedures
You will be provided with access to NTS’ security
policies and procedures:
Review all policies and follow them
Ask questions if you are unsure
If you fail to follow policy, you risk creating a
‘security incident’ that has to be reported.
Tracking and reporting incidents is a time
consuming and expensive business.
You must follow NTS’ security procedures to protect PHI. These safeguards include:
1. Using passwords to protect computers and locking computers when they are
unattended.
2. Keeping PHI secure at workstations when working from home.
3. Not transmitting PHI by insecure methods, such as email.
4. Not working in public or where others could see your screen.
5. Following all other NTS security procedures provided to you.
11
Incidents and Breaches
NTS has an obligation to notify the customer of:
• Any security incident, including:
• Lost laptop, if unencrypted
• Hacking incident or malware
• Unauthorized use or disclosure of PHI, including
breaches
All potential incidents and breaches are investigated
internally, tracked and recorded by NTS privacy and
security personnel
As everybody working with personal data knows, security incidents and breaches are
a fact of life. We work very hard to minimize them and avoid them. But if they
happen, we follow our internal breach reporting procedure:
1. We report the incident internally.
2. We investigate it promptly and stop the incident ASAP.
3. We mitigate the harm. If necessary, we recover or delete any PHI that was
transmitted incorrectly.
4. We report to the customer as required by our Business Associate Agreement.
5. We document the incident in our internal records.
12
Is it an Incident or Breach?
If at any time you suspect a security incident or
data breach, you must report it immediately
Examples:
Report sent to wrong physician or facility
Carbon copy sent to wrong physician or
facility
You lose your laptop
You suspect your computer has been
hacked or infected with a virus
If in doubt – report!
It is not your place to classify security incidents or breaches, or to determine whether
or not a security incident or breach has occurred. If you suspect a problem, report it
to your manager immediately. They will then work with Nuance privacy and security
teams to investigate, correct, track and report as needed.
13
Thank You for Your Attention!
We look forward to working with you to protect our customer’s
patient information.
If you have a privacy complaint, please contact the following:
Holly Woemmel at 321‐752‐3675 or e‐mail her at holly.woemmel@nuance.com
If you have claims such as disagreement with managers, interpersonal
communication issues, employee relation issues, performance issues, termination
claims, etc., these should be reported to your Human Resources Manager.
14
Thank you.
15