Hello and welcome back to the H C I s P p certification course with Sai Buri regulatory requirements. Part one.
My name is Shalane Hutchins and I'll be your instructor for today.
Today we're gonna talk about legal issues,
physical security, regulation commitments,
data breach regulations and jurisdiction implications.
These next modules are some of the most significant areas for the certification examination and we'll be discussing them at a high level. Please refer to the supplemental materials for further study.
As we've discussed thus far, Hip is the most important health care information regulation
in the United States.
Health care organizations need to ensure compliance with regulations and guidelines for archiving and retaining Elektronik Communications,
patient confidentiality and potential malpractice litigation make it particularly important for health care organizations to ensure network security and compliance.
Although HIPPA covers many things,
positions typically are more concerned with hippos, administrative simplification provisions
and particularly the privacy, security and breach notification requirements.
The specificity of the requirements go well beyond traditional self evident obligations, and violations can result in serious penalties.
Health care organizations should note that hip is considered the floor, meaning states may have requirements that go above and beyond what the federal government requires.
We discussed in previous modules, um, the American Recovery and Reinvestment Stimulus Bill
of the High Tech Act of 2009
which included the final Breach notification rule, which imposes sweeping obligations on certain entities that manage personally identifiable health information
while the Previa. While the provisions generally follow the same things as state notification laws,
the high tech acts data breach requirements contained several critical distinctions.
A breach is defined under high tech as the unauthorized acquisition, access, use or disclosure of ph. I or protected health information.
Under the federal law, the unauthorized use or disclosure of pH I constitutes a notifiable event.
For example, if an authorized user
someone who has authorization to use the data,
discusses the data in an unexpected or inappropriate way,
talking on an elevator around people who could over hear the conversation,
the organization would be required to comply with the breach notification requirements.
Countries around the world are stepping up to the problem of a volatile and dangerous Internet environment and crafting laws and regulations that require the protection of personally identifiable information.
Personal Information Protection and Electronic Documents Act
and the European Union Unions Directive 2009 slash 1 36 slash e c.
Require protections within the organisations performing medical services for patients when collecting,
storing sharing in transmitting data across networks toe other organizations.
So it's important to understand these international standards if you're transferring data across international borders.
For the most part, all privacy and security regulations require the same commitment.
Personal health care data must be collected for a specific purpose.
You cannot use the data outside of that purpose.
Information must be isolated from persons not authorized to see or use the data.
information must be deleted at an appropriate time after it's used for a state of purpose.
And financial penalties may be collected for failure to protect the information appropriately, meaning you could be sued.
Other specifics may include identifying and defining relationships between under age or incompetent persons and their parents, guardians or caregivers who may make health care decisions
defining the period of time Information is preserved
and description of the permissions process for sharing or transmitting data toe. Others beyond the original organization,
commitment should be in place should be documented, should be melted and probably should be audited
on a periodic basis to ensure that the controls are in place and operating as intended.
The definition of a data breach is the impermissible use or disclosure of protected health information that compromises the security or the privacy of the data.
As with any other incident,
organizations must respond initially and seek to identify the specific details about the data or information in question.
This means the incident response plan and procedures must account for breach responses.
As you'll study in some supplemental materials, there's a four part determination to identify whether or not an incident materializes to a reportable data breach.
The major distinction of a breach is that it involves protected health information,
and the consequences may be significant in terms of financial penalties and lawsuits from those
whose data was the schools, as well as an immeasurable reputational damage to the organization.
The U. S. Department of Health and Human Services were HHS has it increased the civil monetary penalties for HIPPA violations in accordance with the inflation adjustment.
The Inflation Adjustment Act final rule was effective on January 15 of 2020.
The increased penalty levels apply to any penalties. Assess after January 15 2012.
The Notice of Enforcement Discretion,
announced on April 30 2019
cap the maximum annual penalties at $10,000 for 10 tier one
$100,000 for tier two,
$250,000 for Tier three
in $1.7 million for Tier four.
The maximum penalty for HIPAA violation in the highest tier remained at 1.7 million per violation category per year.
Prior to the review,
the maximum HIPAA violation penalty was 1.7 million in all four penalty tears.
So the tears Aarhus follows.
Tier one violation is when the covered entity did not know and could not reasonably have known about the breach.
Tier two is the covered entity knew or would have known by exercising reasonable diligence.
They'll did not act with willful neglect,
so they may have had some controls in place. They may have had some policies and procedures, and they didn't do anything on purpose.
Tier three is the cover entity, acted with wilful neglect and corrected the problem within a 30 day time frame.
they just didn't put procedures in place. They didn't have controls in place. They weren't even trying to protect the data,
and then they fixed it within 30 days. That's tear Khoury,
is the covered entity, acted with wilful neglect and failed to make timely correction. So not only did they not have controls, but they didn't even try to fix it.
So that's the tear for violation.
Depending upon the circumstances. Individuals who data was disclosed may seek additional compensation through the courts, which could be significant depending upon the member of individuals involved.
Historically, many state governments had laws for privacy and security of personal health data that different from one another.
This often resulted in conflicts when the protection schemes different between organizations where they were in two different states.
One of the main efforts to resolving this difference was Dorsa the data used in reciprocal support agreement.
Darcel was developed by the Office of National Coordinator for Health I T. O. N. C.
In the U. S. Department of Health and Human Services. The HHS,
Dir says, seeks to provide a framework that ensures protection for health information data exchanges. This will be on the exam,
so today we discuss legal issues,
physical and security commitments,
data breach regulations, and jurisdiction implications and regulatory requirements. As a reminder. Please review the supplemental materials for this module to help you prepare for the exam.
Take care and see in the next video.