1. Health Insurance Portability and Accountability Act of 1996 (Sometimes referred to as the "Privacy Rule") were published in December 2000 - this set the national standards for the protection of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI)
The Security Rule & Enforcement Rule became effective in 2003 - these set the standards for protecting the integrity and availability of ePHI as well as the standards to enfornce HIPAA rules
The Office of Civil Rights, operating within the Department of Health and Human Services at the Office of the Attorney General became responsible to enforce these rules in July 2019.
2. The HIPAA Privacy Rule is about a person's rights concerning their own Protected Health Information (PHI), how we may use and disclose a person's PHI, and administrative requirements we must follow.
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
3. PHI is information that is created or received by Health Affiliates Maine or Business Associates that relates to past, present, or future physical or mental health condition of a client or payment for services.
The 18 identifiers that make health information PHI are:
- Dates, except year
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Any unique identifying number or code
4. With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans
5. The Notice of Privacy Practices is a document the Covered Entity generates and provides to the patient upon patient request. The Notice of Privacy Practices contains a description of the types of uses and disclosures permitted under this standard, as well as a description of other reasons the Covered Entity may use or disclose PHI without the authorization of the patient. The Notice of Privacy Practices also sets forth patient rights under HIPAA and provides a summary of disclosures that can be made only with the patient’s written authorization
6. The Notice of Privacy Practice explains when disclosures can be made without written consent. (Besides mandated reporting for abuse, neglect, and exploitation)
The list of disclosures that are required by law without written consent following the Minimum Necessary Standard include:
-Organ and Tissue Donation
-Public Health Risk
-Health Oversight Activities
-Lawsuit and Disputes
-Coroners, Medical Examiner, and Funeral Directors
-National Security and Intelligence Activities
7. The Minimum Necessary Standard applies to all uses, disclosures and requests of PHI.
"A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure."
8. When electronically transmitting ePHI, a mechanism to encrypt the ePHI must be implemented.
(Picture taking with a Smartphone/tablet and/or using ANY E-Fax services without a BAA is an unacceptable method to transmit ePHI)
9. Phishing (by email) or Vishing (by phone) is the attempt to acquire sensitive information such as usernames, passwords and credit card numbers by masquerading as a trustworthy entity in a communication.
According to the 2019 Verizon Data Breach Investigations Report, nearly 1/3 of all breaches in the past year involved phishing attacks.
Human behavior is the biggest vulnerability for organizations trying to avoid phishing attacks. To spot phishing attacks, it is important to look carefully at the sender information in an email, not just the subject line.
10. HIPAA Compliance Policy and Procedures violations and breaches must be reported to HAM's Privacy Officer IMMEDIATELY!
Depending on the violation or breach, reporting may be required to your Licensure Board and the Office of Civil Rights operating within the Department of Health and Human Services at the Office of the Attorney General. (ALL breaches will need to be reported)
MM slash DD slash YYYY