HIPAA and HITECH 2025 Lecture Notes PDF
Document Details
Uploaded by Deleted User
2025
Tags
Summary
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and related regulations regarding protected health information (PHI). It defines various aspects including covered entities, business associates, and protected information. The document also outlines scenarios for the disclosure of PHI, different levels of disclosure, risk analysis, password management, administrative and technical safeguards.
Full Transcript
Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Acts of 2009 January 16, 2025...
Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Acts of 2009 January 16, 2025 (Week 1) HIPAA is composed of 2 main rules: Privacy Rule Security Rule (only applies to electronic health information) Does HIPAA apply to: Wearables? Friends who talk about your medical information? HIPAA only applies to: Covered entities (CE) AND Covered entity → Health Care Provider that electronically transmits health information in connection with certain transactions Business Associate An organization or person (other than the covered entity’s workforce) that performs functions for, or provides services to, a covered entity that involves the use or disclosure of PHI Is Instagram a CE? A BA? What about your friend who betrays your confidence? Apple? Whoop? Other wearables? HIPAA Only Applies to Protected Health Information (PHI) What is PHI? “Individually identifiable health information held or transmitted by a CE or its BA, whether electronic, paper, or oral.” PHI Broken Down 1) Health Information that is 2) Individually Identifiable What Is Health Information? Health information relates to The individual’s past, present, or future physical or mental health or condition or The provision of health care to the individual or The past, present, or future payment for the provision of health care to the individual Which of the following are considered health information? doctor’s note about your visit? MRI report? accessing patient portal to get prescription refilled? browsing history on hospital website? plastic surgeon posts before/after pictures on website? Part II of PHI → Is The Health Information Individually Identifiable? Patient in NYC with high blood pressure? Dr. Green’s patient John Smith has a torn ACL? Patient in General Hospital is a fall risk? 98 year old patient in Shady Acres Nursing Home has dementia? 98 year old female patient in Shady Acres Nursing Home has dementia? 98 year old patient in Room 222 in Shady Acres Nursing Home has dementia? Person browsing General Hospital website for information about orthopedic physicians? 18 common identifiers under HIPAA: Name Account number Geographic subdivisions Certificate/License such as street address, zip number code Vehicle identifier Dates such as date of birth, URL admission date, date of IP address death Biometric identifier Telephone number Full face photo Fax number Any other unique Email address identifying number, Social Security number characteristic or code Medical record number Health plan beneficiary Disclosure of PHI When can a CE disclose PHI? to another CE? to the patient? if receive a subpoena? to the patient’s spouse/significant other? to the patient’s insurance company? to the patient’s employer? to a minor’s parents? to a judge? by a plastic surgeon using before/after picture? Different Levels of When PHI Can Be Disclosed 1. Uses and disclosures to carry out treatment, payment or health care operations (45 CFR §506) 2. Uses and disclosures for which an authorization is required (45 Come up with 2 instances or scenarios for the disclosure of PHI under each rule (#1 through #4). Treatment, Payment or Healthcare Operations Healthcare operations … think Atrium or Novant Only With Authorization marketing Opportunity To Object family member/relative/close personal friend and PHI is directly relevant to person’s involvement with patient’s health care or payment for health care Opportunity To Object Is Not Required* public health activities Other Requirements of the Privacy Rule Notice of Privacy Practices HIPAA Security Rule Addresses security of electronic PHI (ePHI) only General Rules Rigid or flexible? Administrative Safeguards Risk analysis Protect against malware Log-in monitoring Password management Physical Safeguards facility security Technical Safeguards unique user ID
