Regulatory Requirements Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Hi, everybody. Welcome back to the Hcs PP Certification course with Sai Buri Regulatory requirements. Part two.
00:09
My name is Charlene Hutchins and I'll be your instructor for this course.
00:15
In this video, we're going to talk about P I I
00:19
and PH I
00:20
data subjects and research and how these applied to regulatory requirements.
00:29
It's important to understand the definitions of P I. I personally identifiable information
00:36
and P h. I protected health information.
00:40
P I is any information that allows positive identification of an individual such as your name, your birth date, your address or your phone number,
00:52
protected health information, or pH. I is any of those elements that are part of the health care and treatment of an individual,
01:00
for example, your name and the name of a prescription that you're taking
01:06
for your name
01:07
and the pharmacy where you get your prescriptions filled.
01:11
It's important to note that p I I on Lee becomes pH I
01:15
when the information is handled by a covered entity.
01:19
Remember, a covered entity is a hospital or care center,
01:25
a pharmacy
01:26
or an insurance plan.
01:27
A pharmaceutical manufacturer
01:30
is not a covered entity.
01:34
The personal information that they may have related to patients will apply for discounts for your particular brand of drugs is not protected health information under hip hop.
01:47
And it's not subject to the same regulatory safeguards, although
01:52
it may be covered under state balls with similar protections and consequences
02:00
did a little deeper.
02:00
Hebert defines PH. I as 18 different data elements, with the 18 element being
02:07
any other unique identifying number, characteristic or code.
02:14
Think about that
02:15
when you received data from a covered into.
02:19
Even if it's just one of these elements,
02:22
it is considered pH I and must be protected and safeguarded. According to Hip.
02:28
It could be a list of email addresses or even the I P address from where a patient logged into their online accounts.
02:36
Because it's a tight because it's tied to a record from a covered entity. It's ph. I.
02:42
An unauthorized disclosure of this information could be a potential HIPPA data breach.
02:47
The significance here is how these elements could be used to tie back to a patient.
02:53
Hippo was created to protect the dignity of U. S citizens and their health care information.
03:00
Disclosure of personal information may cause intrinsic harm simply because that private information is known by others,
03:08
and this is according to savor our medical research
03:13
an intangible harm. Ah University of Cincinnati Law Review 2006.
03:20
Another potential danger is economic harm.
03:23
Individuals could lose their job, their health, insurance or housing. If the wrong type of information becomes public knowledge.
03:30
Consider this story.
03:32
When the HIV AIDS epidemic broke out, the stigma around HIV and AIDS was very negative and harmful to those who contracted the virus.
03:43
Over the next several years, more education was provided about the virus and the auto immune disease that could result afterwards.
03:52
New drugs have been developed to extend the lives of those with the virus and halt the progression of the disease.
03:59
Insurance plans begin to cover some of those drugs for patients.
04:03
One insurance company,
04:04
Aetna
04:05
in 2017
04:08
use the vendor to send letters to its members.
04:11
The envelope used by the vendor contained a window to display the recipients name and address.
04:17
The window, however,
04:18
was large enough that the first few lines of the information could be viewed.
04:25
That information indicated that the patient was taking HIV medication.
04:30
12,000 of those letters were mailed.
04:33
Anyone who handle that letter could view the information. The mail carrier, a neighbor picking up the mail, a family member who was unaware
04:44
this was a data breach.
04:46
Any information that can be tracked back to an individual person is considered protected health information.
04:54
Atma settled a Pennsylvanian lawsuit for $17 million in $365,000 civil penalty to settle the claims for AH $100,000
05:08
UH, in Connecticut and $175,000 in D. C for a total of $640,000 in civil suits.
05:17
Aetna then filed a $20 million lawsuit seeking damages from the vendor.
05:28
The exposure of health care information of prominent citizens and public figures in the United States prompted the legislation that led to HIPPA
05:36
with the onset of the Internet
05:40
and its population of Attackers who seek either monetary gain. Notoriety or bow
05:46
has made the challenge for protecting the information even greater.
05:49
The reality is that health information is worth more toe on attacker than most other kinds of information,
05:58
according to an article on fears healthcare dot com,
06:01
the number of patient records breached nearly tripled in 2019
06:08
over 41 million patient records were breached in 21 19 with a single hacking incident affecting close to 21 million records.
06:18
Responsibility for protecting Ph I within an organisation are complex.
06:24
Here are a few responsible parties.
06:27
The data controller or manager is the senior person in charge of managing the data systems used in capturing story or analyzing the pH I of patients under the care of the organization.
06:40
They're responsible for maintaining the integrity of the data system and authorizing access of internal and external users to the system
06:49
And the pH. I.
06:51
The data custodian, is responsible for the maintenance and integrity of the data system, software and hardware that house and process the data.
07:00
They keep the systems update it backed up and monitor network activity for potential vulnerabilities.
07:09
There are two types of data owners.
07:12
The person to whom the data actually pertains to the patient.
07:15
The patient has final that determination for how the data is used and to whom the data can be disclosed,
07:23
and the second is the health care organization that provides the treatment our services.
07:28
They have ownership of the health record for the legally specified time period after treatment has ended.
07:35
Have you had an appointment recently?
07:40
Were you provided a HIPPA privacy statement or pamphlet or directed to read the hip of privacy statement posted somewhere in the office?
07:47
If not,
07:48
pay attention the next time you go to the dentist or to the idea
07:54
you should always receive a copy of those privacy statements.
07:57
They tell you how that organization will be using your information and who they're sharing it with
08:03
in your rights as a patient to revoke the authority and how to do so.
08:09
I recently remember reading through one and realized that my name and address and email may be sent to a marketing firm
08:16
that firm Mason Me. Sweepstakes Information
08:20
Completely unrelated to the care are was receiving.
08:24
Many times you're asked to final lying, indicating that you've received this medication as your completing the paperwork.
08:31
I recommend not signing that portion until you actually received the notice and read through it.
08:37
It's important to decent.
08:39
Any sharing of information must be done with clear permission and understanding from the patient.
08:46
Next are the data processors.
08:50
These are technical people who are involved in implementing the processing systems they may be involved in performing data entry testing or systems development.
09:01
Health information is the data collected about a person across the number of treatment services from a number of health care organizations, and the health record is the collection of that health information based on treatment services. It's a record of specific services perform and their results
09:20
or interpretations
09:20
at the specific time of the treatment.
09:28
Clinical research is necessary to establish the safety and effectiveness of specific health and medical products and practices.
09:35
HIPPA regulation allows researchers to access and use pH I when necessary to conduct research. However, hip Onley effects research that uses creates or discloses pH I that will be entered into the medical record or will be used for health care services such as treatment,
09:54
payment or operations.
09:56
The privacy rule places specific emphasis on the authorization that is generally required for research uses and disclosures of pH high by covered entity.
10:09
An authorization differs from an informed consent and that an authorization is an individual's permission for covered entity to use or disclose pH I for a certain purpose a research study
10:22
and informed consent. On the other hand, is the individuals permission to participate in the research and informed consent provides the research subjects with a description of the study and its risks and or benefits, and how the confidentiality of the record will be protected.
10:41
An authorization can be combined with an informed consent but must contain the court elements
10:48
and required statements in the privacy Bull.
10:50
Please read the supplemental materials for further information relating to the privacy rule requirements for research
11:01
in summary. Re reviewed the P I and P H I
11:05
data subjects and research as part of regulatory requirement.
11:11
Thank you for joining me and I'll see you in the next video.
Up Next