Health Insurance Portability and Accountability Act of 1996, as Amended

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello everyone, it's Chris again.
00:00
I'm cyber as instructor for
00:00
if US Information Privacy course.
00:00
I'm glad that you've joined me for
00:00
discussion in Lesson 6.1 on
00:00
the Health Insurance Portability and
00:00
Accountability Act of 1996 as amended.
00:00
I truly believe that if you
00:00
are supporting organizations, institutions,
00:00
and companies in the public sector space or
00:00
private sector space that
00:00
are within the healthcare industry,
00:00
then you should be familiar
00:00
with HIPAA and its amendments.
00:00
We have several learning objectives,
00:00
we're going to have a brief review
00:00
of the privacy rule and the security rule.
00:00
Before we begin that discussion,
00:00
I think it's important that we
00:00
talk about HIPAA's purpose.
00:00
Initially, when Congress enacted HIPAA,
00:00
it was to improve the efficiency and
00:00
the effectiveness of the health care system.
00:00
It also wanted HHS to adopt national standards for
00:00
electronic health care transaction and code sets
00:00
unique health identifiers that we know
00:00
as protected health information identifiers,
00:00
they're 18 to date,
00:00
and privacy and security requirements.
00:00
Congress also acknowledged that because
00:00
of advances made in electronic technology,
00:00
that they pose threats to
00:00
the identifiable information that
00:00
could pose privacy and security risks
00:00
to patients and others.
00:00
For that reason, HHS promulgated it's
00:00
final privacy rule in December 2008 that
00:00
mandated greater privacy protections for
00:00
individually identifiable information
00:00
and required covered entities,
00:00
health care plans, healthcare clearinghouses,
00:00
and health care providers to comply with this rule.
00:00
To some degree, it also had some accountability,
00:00
which was minimal for business associates,
00:00
and we'll talk about those later.
00:00
It was in February 2003 that HHS promulgated it's
00:00
final security rule that established it's
00:00
national standards for
00:00
protecting the confidentiality, integrity,
00:00
and availability of
00:00
electronic protected health information
00:00
by using administrative,
00:00
physical, and technical safeguards.
00:00
Let's talk about those covered entities.
00:00
As I stated before,
00:00
covered entities themselves are health plans,
00:00
healthcare providers and healthcare clearinghouses.
00:00
When we talked about health plans,
00:00
we're talking about those plans that you and
00:00
I as American citizens use,
00:00
individual and group plans that provide to pay for
00:00
the cost of medical care that
00:00
we receive from covered entities.
00:00
When we talk about these healthcare plans,
00:00
we're talking about health, dental,
00:00
vision, and prescription drug insurers,
00:00
health maintenance organizations,
00:00
HMOs, medicare, medicaid,
00:00
medicare plus choice,
00:00
medicare supplement insurers,
00:00
and long-term care insurers.
00:00
Now we exclude from
00:00
that nursing home takes indemnity policies.
00:00
Health plans also include
00:00
those employer-sponsored group health plans,
00:00
government and church-sponsored health plans,
00:00
and multiemployer health plans.
00:00
Now there are some exceptions.
00:00
If there's a group health plan
00:00
with less than 50 participants,
00:00
there was administered solely by an employer
00:00
that has internal establish and maintain a plan,
00:00
then that entity is not going
00:00
to be defined as a government entity.
00:00
Now there are two types of
00:00
government-funded plans or programs
00:00
that also weren't health plans.
00:00
Those who principal purpose is not to
00:00
provide or pay for the cost of healthcare,
00:00
we're talking about programs like food stamps program,
00:00
and also those programs
00:00
whose principal activity is
00:00
directly providing healthcare,
00:00
like a community health center.
00:00
When we talk about healthcare providers,
00:00
we're talking about those healthcare providers,
00:00
regardless of their size,
00:00
who electronically transmit
00:00
health information in connection with
00:00
certain transactions as defined
00:00
within the HIPAA transactions rule.
00:00
Electronic billing for reimbursement for
00:00
medical services rendered to a patient, and as such.
00:00
We're talking about claims,
00:00
benefit eligibility inquiries,
00:00
refer authorization request,
00:00
or other transactions for which
00:00
HHS has established these standards
00:00
under the HIPAA transaction rule.
00:00
When we talk about healthcare clearinghouses,
00:00
we're talking about those unique entities
00:00
that process non-standard information,
00:00
particularly health information,
00:00
electronic protected health information that they
00:00
receive from another covered entity,
00:00
and they translate those
00:00
into standard formats or data content.
00:00
Those are familiar with the ICD coding format, or CPT.
00:00
Then again, these are
00:00
the types of formats that we're talking about.
00:00
We also have business associates that perform
00:00
certain functions or activities on
00:00
the behalf of covered entities.
00:00
What the HIPAA requires is that there
00:00
be a business associate contract
00:00
>> or an agreement between
00:00
>> the covered entity and
00:00
the business associate that explicitly details what
00:00
those obligations responsibilities are on
00:00
the behalf of the business associate
00:00
as it processes this information.
00:00
Let's talk about the Privacy Rule. Who has to comply?
00:00
Primarily in the year in which it was promulgated,
00:00
It was basically the covered entities with
00:00
some minimal requirement for business associates.
00:00
We were talking about protected health information,
00:00
which was individually identifiable health information
00:00
possessed by a covered entity or
00:00
a business associate in any format,
00:00
whether it was electronic, paper,
00:00
or individually identifiable information
00:00
could be or pertain to an individual's past,
00:00
present, or future physical,
00:00
or mental health condition.
00:00
Provisions of healthcare provided to
00:00
the individual URI or any past,
00:00
present, or future payment for the provision of
00:00
health care to the individual or patient.
00:00
Now there are some exceptions.
00:00
De-identified health information isn't
00:00
covered under the Privacy Rule,
00:00
so there are no restrictions on the use of disclosure
00:00
of de-identified of information.
00:00
How do you de-identify this formation?
00:00
The HIPAA Privacy Rule recognizes two processes.
00:00
You can use expert determination
00:00
of which you have a qualified statistician,
00:00
apply some type of statistical process,
00:00
remove the identifiers,
00:00
or you can use the safe harbor
00:00
process where you remove all
00:00
18 of the identifiers associated with PHI.
00:00
HIPAA's a lot like
00:00
the fair information practice principles,
00:00
it requires an accountability for disclosure
00:00
of patient records outside
00:00
of the treatment payment and operations process,
00:00
it require you to grant access and allow
00:00
patients under certain circumstances
00:00
to correct their information.
00:00
If that request is denied,
00:00
then there has to be an accounting for the refusal
00:00
to respond to the request
00:00
and then needs to be placed in the patient's records.
00:00
It also requires you to have
00:00
a security safeguards to protect the information.
00:00
It requires you to put someone in
00:00
charge of your privacy program to
00:00
train those individuals that are
00:00
handling a protected health information on your behalf,
00:00
requires you to appoint someone to
00:00
manage your privacy program,
00:00
and requires you to train those entities that
00:00
are handling information on your behalf.
00:00
The security rule is more administrative in nature.
00:00
Again, covered entities out to
00:00
comply business associates to some degree.
00:00
We're talking about electronic
00:00
protected health information
00:00
or EPHI,
00:00
electronic health information in any format.
00:00
It requires that these covered entities
00:00
that are responsible for protecting
00:00
the EPHI consider the confidentiality integrity
00:00
and availability of all EPHI in their possession,
00:00
to identify and protect against
00:00
reasonably anticipated security threats,
00:00
protect against reasonably
00:00
>> anticipated impermissible uses
00:00
>> or disclosures of EPHI,
00:00
and ensure compliance with our workforce.
00:00
You have to have some one manage your program,
00:00
you have to provide training to those individuals
00:00
responsible for handling EPHI.
00:00
It also requires these entities to conduct
00:00
risk assessments to look
00:00
at based on the size, complexity,
00:00
and capabilities,
00:00
technical hardware or software infrastructure,
00:00
costs of security measures and
00:00
likelihood impossible impact of potential risk.
00:00
You have to conduct risk analysis.
00:00
That include evaluating the likelihood and
00:00
impact of potential risk the EPHI.
00:00
They have to put in place
00:00
their proper security measures to assess risks,
00:00
you have to document their selected security measures,
00:00
and when required, the
00:00
>> justification for selecting those.
00:00
>> Then you have to maintain continuous, reasonable,
00:00
and appropriate security protections.
00:00
Question one asks deprives
00:00
you rule does which of the following?
00:00
Appropriate answers are A, C and D.
00:00
>> Question two says that covered entities must do what?
00:00
>> The appropriate answers was, A, B, C,
00:00
and D. Summary,
00:00
HIPAA is a national attempt was to improve
00:00
the efficiency and effectiveness
00:00
of the healthcare system.
00:00
Later, Congress realized that again it
00:00
needed greater privacy and
00:00
security protections in place,
00:00
so it directed HHS to
00:00
promulgate the Privacy Rule and the Security Rule.
Up Next