Health Insurance Portability and

Accountability Act
Public Law 104-191
 Introduction

In 1996 the Health Insurance

Portability and Accountability Act
(HIPAA) was just a bill waiting to
be passed. On August 21st
President Bill Clinton signed
making it Public Law 104-191.
HIPAA sets standards for patient
privacy and confidentiality.
Compliance is mandatory and
failure to comply may result in
civil and criminal penalties.
HIPAA Privacy Rule Definitions

Privacy is the right of an individual to control personal

information and not have it disclosed or used by others
without permission.
Confidentiality is the obligation of another party to respect
privacy by protecting personal information they receive and
preventing it from being used or disclosed without the
subject’s knowledge and permission.

Security is the means used to protect the integrity, availability

and confidentiality of information by physical, technical and
administrative safeguards.

Protected Health Information (PHI) is individually

identifiable health information, transmitted or maintained in
any form or medium held by covered entities or their business
associates.
HIPAA touches on many aspects of
healthcare.

This includes:
Protecting health insurance coverage
and improving access to care.
Improving the quality, efficiency,
and effectiveness of healthcare.
Protecting privacy and security of
patient health information.
Reducing healthcare administrative
costs.
How HIPAA Protects Patient Privacy

Establishes standards giving patients new

rights and protection against the misuse
and disclosure of their health information.
Sets boundaries on others for the use and
release of medical information.
Provides resources if privacy protections
are violated, including civil and criminal
penalties to those who knowingly violate
HIPAA regulations.
Providers and Health Insurers

Providers and health insurers who are

required to follow the law must keep your
information private by:
Teaching the people who work for them
how your information may and may not be
used and shared.
Taking appropriate and reasonable steps to
keep your health information secure.
 Covered Entities

A covered entity (such as a health plan)

may not use or disclose PHI unless it is
required or permitted to do so. There are
only two required uses of disclosure under
the HIPAA privacy rules—when the
patient or the person who is the subject of
the information requests the information
and when the government requests it as
part of an inspection. All other legal uses
of PHI are permissive rather than required.
Consent for treatment, payment and
health care operations is implied
and not required, as long as what is
provided is the "minimally
necessary" information and privacy
notices have been sent, but most
other uses of PHI require written
authorization.
Examples of Covered Entities

Health insurance plans

Health care clearinghouses
Physician offices
Hospitals
Clinics
Self-insured employers
 Policy Exception

Covered entities may use or disclose PHI

without a consent or authorization only if the use
or disclosure comes within one of the listed
exceptions and certain conditions are met:
● • As required by law.
● • For public health.
● • For law enforcement.
● • For health care oversight.
● • For research.
● • For organ transplants.
● • For coroners, medical examiners,
funeral directors.
What is covered by HIPAA?

The medical record (protected

health information) which includes
all information that is created by
any covered entity such as paper,
electronic, photos, etc.
Individually identifiable health
information such as photo, name,
address, date of birth, etc.
Protected Health Information (PHI)

PHI under HIPAA includes any

individually identifiable health
information.
Identifiable refers not only to data
that is explicitly linked to a particular
individual. It also includes health
information with data items, which
reasonably could be expected to allow
individual identification.
You don’t have PHI under HIPAA
privacy unless you have individual
identifiers and health information in
the same place, a “compound” of
two “elements.”
Individual identifiers can be
anything that will point to the
subject of the information, including
names, social security numbers or in
some cases even zip codes.
Individually Identifiable Health Information

Is information that is a subset of health

information, including demographic
information collected from an individual,
and is created or received by a health care
provider, health plan, employer, or health
care clearinghouse.
Relates to the past, present, or future
physical or mental health or condition of
an individual; the provision of health care
to an individual; or the past, present, or
future payment for the provision of health
care to an individual.
Examples of Identifiers

Name, Address, Telephone Numbers,

Fax Numbers
Electronic Mail Addresses
Date of Birth, Social Security
Numbers
Account Numbers, Medical Record
Numbers,
Admission and Discharge Date
Date of Death
 Under HIPAA Privacy

Individuals Have the Rights to:

A written notice of information practices from
health plans and providers.
Inspect and obtain a copy of their PHI.
Obtain an accounting of disclosures.
Amend their records.
Request restrictions on uses and disclosures.
Have reasonable communication requests
accommodated.
Complain to the covered entity and to Health
and Human Services.
Consent and Authorization of Patient Care

Informed consent is signed at the

first encounter the patient has with
the provider of healthcare. The
consent covers treatment, payment,
and other health care information.
 Guiding Principle

A general guiding principle for

having and using any clinical
information/data is that no person
should be able to link the
information that is shared back to a
specific individual. Information
concerning a patient must only be
shared with people who are directly
involved in the patient’s care.
Minimum Necessary Rule

HIPAA established the “minimum

necessary rule” which stipulates that only
the minimum necessary information may
be shared, even with a patient
authorization. Health professionals
involved in the treatment of patients are
not subject to the minimum necessary rule
and can have full access to all information
that is needed to provide patient care.
Health information that has implications
for the public health and safety can be
shared without consent.
A nurse who seeks information
about a patient not under his/her
care is violating the HIPAA rule.
The intent of HIPAA is to protect
patients from unauthorized or
inappropriate use.
The rule also protects patients by
giving them access to their health
information and information that is
contained in it.
Ways To Prevent HIPAA Violation
 Violation

If you use a computer that

requires you to login then
remember to log-off.
Allowing another individual
to use your password is a
violation of hospital policy.
 Violation

Never discuss patient information in

hallways, elevators, etc.
Remember to speak softly while talking
with a patient in a semi-private room.
This ensures patient confidentiality.
 Violation

Use a hospital cover sheet

when faxing any health related
information.
Never discard patient
information in the trash. Most
hospitals have equipment that
stores health information for
shredding.
Examples of Wrongful Disclosure
(Reportable to the Ethics and
Compliance Officer)
Wrongful Disclosure

Appropriate access and

disclosure (gossiping).
Allowing family/friends to
assist, observe or visit work
area.
Allowing students to observe
without workforce training.
 Other Violations

Providing more PHI than necessary.

Nurse/Physician pulling wrong
chart.
Disclosure to patient’s employer
when the issue is not worker’s
compensation.
Providing wrong PHI to a requester
(discharge instruction, lab results,
bills)
Accessing personal, friend, family
PHI
Nurse Staffing Unlimited

Nurse Staffing Unlimited is a

"business associate" of hospitals, clinics
and other healthcare providers subject to
HIPAA.

Healthcare clinicians employed by

healthcare staffing agencies are
responsible for following HIPAA
guidelines. There are no exceptions to
the rule.
 Test
The HIPAA test consists of 20
questions. If you have received a username
and password you may go to
www.clinicaledu.com to sign-in. The
passing score is 80% with re-mediation to
100%.

For comments about any of the

information contained in this presentation
please go to www.clinicaledu.com