HIPAA Privacy Rule

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 42 minutes
Video Transcription
Welcome back, you privacy pirates and cyber swashbucklers. This is less than 1.2 of the cyber a Siri's implementing a HIPPA compliance program for leadership, and this is the HIPAA privacy rule. So if you're ready, all aboard your privacy. Pirate ships raise your jolly Roger flag and man your cannons because we're in for a battle.
When I was a kid, you walk into the lobby of an office building and see a private phone room with a pay phone in a glass door to close so the color would have privacy. And boy has the definition of privacy changed over the years and the communication channels privacy applies to. In today's lecture, we're gonna define pH I and why it's so important.
We're gonna cover the foundational elements of the HIPAA privacy rule, which intends to be the going forward
mandatory floor patient privacy protections. We're going to review the uses and disclosures of identifiable health information, and we will cover patient consent when and why it is needed. And then we will differentiate between the expectation of privacy code without the force of law
and conflicts between the patient's rights to privacy and a third parties need to know, and lastly, we will set you students loose
and you will create a 10,000 word block post. 25,000 words if you want extra credit on ethics and the laboratory cleaning policy for your hospital, so if you're ready, you privacy pirates All aboard
with the move to electronic health record systems came the need to define what is patient identifiable health information so that it would be properly protected and policies of acceptable use could be defined to help enforce privacy protections. Three U. S. Department of Health and Human Services HHS, who established the Health Information Portability and Accountability Act of 1996
created the HIPAA privacy rule
to create the standards necessary to address the use and disclosure of protected health information. PH. I for covered entities, you'll recall from our last lecture that covered entities or health insurance plans, healthcare clearinghouses and patient care providers. The privacy rules policy for the HIPAA covered entities
to address how these entities use PH I and share pH I between them,
how a health insurance plan, a clearing house partner of the plan and doctors who deliver the patient care all use a patient's PH I and share the information between them while assuring patient privacy. A second critical component of the HIPAA privacy rule is to set standards for patient rights of their pH I. Can a patient see the records have access to them?
Asked to have them shared from one doctor they don't like to a new doctor they like better for ongoing treatment, etcetera.
The overarching goal of the HIPAA privacy rule is to protect and individuals identifiable health information while allowing the flow of health information needed to provide quality health care and protect the public health and well being.
HHS defines protected health information pH eyes an individual's past, present or future physical or mental health condition. Ph. I is the actual treatment or the provision of health care to the individual. You broke your bone and your bone was set in a cast for six weeks until your bone healed and how you paid for the health care service to set your broken bone
Did use private health insurance. Federally health provided payer systems like Medicaid and Medicare,
or is it written off by the hospital because you didn't have insurance it all and couldn't afford the medical services you see protecting these things is the first part of the privacy policy. But the second part is the use and sharing agreements of this information if you break your bones but couldn't pay for it if that information isn't properly protected,
a future health care provider might refuse you treatment because of your inability to pay
keeping your pH. I confidential having standards for the use and sharing of your P h I and ensuring you the patient have rights to see and access these records even control their use. These air the critical elements addressed in the HIPAA privacy rule.
The HIPAA privacy rule has the basic principle of defining and limiting the circumstances in which Ph I may be used or disclosed by covered entities. Covered entities may not used or disclosed protected health information unless the privacy will permits it or requires it. So, like a network, firewalls implicit deny rule. All traffic is denied by default until you explicitly call it out and allow it.
The privacy rule dictates entities can Onley use and share a P h i.
If it is either permitted or required by the privacy statute. Entities can Onley use your share ph I when the individual or the personal representative allows it in writing so if not permitted or required by the HIPAA privacy rule covered entities can Onley use, disclose and share pH I without patient authorization. Onley When treatment is being performed
payment, normal health care operations are being performed.
An entity needs to agree or object to a service or payment. The needs of the public interest outweigh the need for privacy or using a limited data set for the purpose of research. So maybe a research team could use the information of your broken nose and its treatment, but they don't require your name. Your address, your Social Security information, your payment history, etcetera
and HIPAA Privacy rule wants to limit the uses and disclosures ph I to the minimum necessary.
Think of this is a need to know if you don't need a patient's building history. The information shouldn't be shared by the partner. With that information,
consent or individual authorization must be given in writing for any use of pH I not related to a patient's treatment, payment for healthcare services or explicitly permitted or required by the HIPAA privacy rule a really big deal in byproduct of the privacy rules that a covered entity cannot condition treatment by an individual's refusal to authorize the disclosure of their health records.
If you don't give me your patient history and payment records,
I might limit or refused you treatment. And any written authorized consent has to be very specific and limited in scope. This is the information and on Lee at the information. I authorize you that covered entity to share with the specific partner and only for this single instance
for this purpose. Example. I authorize you to share my yearly medical physical checkup results with this life insurance policy
for the specific task of approving me or denying me life insurance coverage authorized on Lee. Last year's results in on Lee to this provider. Three Information can be shared for 30 days with this in date, and I reserve the right to revoke this written authorization at any time.
The administrative requirements of a covered entity regarding keeping an individual's identifiable medical information private are many. I put a wrapper around the subject by using the term code of ethics Ah covered entity needs to incorporate into their actual culture and employee identity, a code of ethics into the company's core values, the importance of maintaining patient privacy
and adhering to the organization's privacy policies and procedures.
An organization with these core values will have a privacy official who is responsible for developing and implementing the organization's privacy policies and procedures, and a contact office responsible for receiving complaints and who provides individuals with information on the covered entities. Privacy practices.
And there should be a comprehensive workforce training and management program that includes the employees, volunteers and trainees of the covered entities
in their rules and their adherence to guarantee patient privacy. How to use Ph. I when and when not to share Ph. I When authorized consent is required when and how to process complaints and patient record documentation and record retention policies, it's always three users. OVEN organizations data that is either the weakest security control or its strongest.
No firewall can keep people from sharing data
that they shouldn't
blimey and blow the man down. It's time for your pirates toe. Have your privacy quiz.
When his patient authorization required to disclose pH. I so hit pause. Fire your cannons at your nearest enemy. Make a note of your answers and hit resume before somebody cooks the parrot.
So consent is required for any records request outside of treating the patient for building purposes or one required by the privacy rule, patient authorization I e. Consent must be written and narrow in scope.
And if you don't complete your 10,000 word block on ethics by Friday at 5 p.m. you'll be walking the gangplank on your way to the bottom of dirt she to meet with Davy Jones Locker.
So in this video we defined what is protected health information, and we reviewed the core elements of the privacy rule. PH. I disclosure rules and the patient's rights to access the records and control the use, disclosure and sharing oven individuals protected health information. In our next video, we will cover the hip enforcement rule on the financial ramifications of misuse
or the neglectful treatment oven. Individuals protected health information.
So thanks for attending the second lecture of the cyber implementing a HIPPA compliance program for leadership. We hope now you have a better understanding of P. H I and the rules surrounding an individual's right to privacy on behalf of the entire cyber, eh, lads and lassies. We hope you keep your sword sharp, your cannons loaded and that you scalawags aren't hung from the yardarm and fed to the fish.
So thank you so much for joining.
We hope you're having a good day.
Take care
and happy journeys.
Up Next