5 hours 25 minutes
Hi, everybody. Welcome back to the Hcs PP Certification course with Sai Buri Regulatory requirements. Part two.
My name is Charlene Hutchins and I'll be your instructor for this course.
In this video, we're going to talk about P I I
and PH I
data subjects and research and how these applied to regulatory requirements.
It's important to understand the definitions of P I. I personally identifiable information
and P h. I protected health information.
P I is any information that allows positive identification of an individual such as your name, your birth date, your address or your phone number,
protected health information, or pH. I is any of those elements that are part of the health care and treatment of an individual,
for example, your name and the name of a prescription that you're taking
for your name
and the pharmacy where you get your prescriptions filled.
It's important to note that p I I on Lee becomes pH I
when the information is handled by a covered entity.
Remember, a covered entity is a hospital or care center,
or an insurance plan.
A pharmaceutical manufacturer
is not a covered entity.
The personal information that they may have related to patients will apply for discounts for your particular brand of drugs is not protected health information under hip hop.
And it's not subject to the same regulatory safeguards, although
it may be covered under state balls with similar protections and consequences
did a little deeper.
Hebert defines PH. I as 18 different data elements, with the 18 element being
any other unique identifying number, characteristic or code.
Think about that
when you received data from a covered into.
Even if it's just one of these elements,
it is considered pH I and must be protected and safeguarded. According to Hip.
It could be a list of email addresses or even the I P address from where a patient logged into their online accounts.
Because it's a tight because it's tied to a record from a covered entity. It's ph. I.
An unauthorized disclosure of this information could be a potential HIPPA data breach.
The significance here is how these elements could be used to tie back to a patient.
Hippo was created to protect the dignity of U. S citizens and their health care information.
Disclosure of personal information may cause intrinsic harm simply because that private information is known by others,
and this is according to savor our medical research
an intangible harm. Ah University of Cincinnati Law Review 2006.
Another potential danger is economic harm.
Individuals could lose their job, their health, insurance or housing. If the wrong type of information becomes public knowledge.
Consider this story.
When the HIV AIDS epidemic broke out, the stigma around HIV and AIDS was very negative and harmful to those who contracted the virus.
Over the next several years, more education was provided about the virus and the auto immune disease that could result afterwards.
New drugs have been developed to extend the lives of those with the virus and halt the progression of the disease.
Insurance plans begin to cover some of those drugs for patients.
One insurance company,
use the vendor to send letters to its members.
The envelope used by the vendor contained a window to display the recipients name and address.
The window, however,
was large enough that the first few lines of the information could be viewed.
That information indicated that the patient was taking HIV medication.
12,000 of those letters were mailed.
Anyone who handle that letter could view the information. The mail carrier, a neighbor picking up the mail, a family member who was unaware
this was a data breach.
Any information that can be tracked back to an individual person is considered protected health information.
Atma settled a Pennsylvanian lawsuit for $17 million in $365,000 civil penalty to settle the claims for AH $100,000
UH, in Connecticut and $175,000 in D. C for a total of $640,000 in civil suits.
Aetna then filed a $20 million lawsuit seeking damages from the vendor.
The exposure of health care information of prominent citizens and public figures in the United States prompted the legislation that led to HIPPA
with the onset of the Internet
and its population of Attackers who seek either monetary gain. Notoriety or bow
has made the challenge for protecting the information even greater.
The reality is that health information is worth more toe on attacker than most other kinds of information,
according to an article on fears healthcare dot com,
the number of patient records breached nearly tripled in 2019
over 41 million patient records were breached in 21 19 with a single hacking incident affecting close to 21 million records.
Responsibility for protecting Ph I within an organisation are complex.
Here are a few responsible parties.
The data controller or manager is the senior person in charge of managing the data systems used in capturing story or analyzing the pH I of patients under the care of the organization.
They're responsible for maintaining the integrity of the data system and authorizing access of internal and external users to the system
And the pH. I.
The data custodian, is responsible for the maintenance and integrity of the data system, software and hardware that house and process the data.
They keep the systems update it backed up and monitor network activity for potential vulnerabilities.
There are two types of data owners.
The person to whom the data actually pertains to the patient.
The patient has final that determination for how the data is used and to whom the data can be disclosed,
and the second is the health care organization that provides the treatment our services.
They have ownership of the health record for the legally specified time period after treatment has ended.
Have you had an appointment recently?
Were you provided a HIPPA privacy statement or pamphlet or directed to read the hip of privacy statement posted somewhere in the office?
pay attention the next time you go to the dentist or to the idea
you should always receive a copy of those privacy statements.
They tell you how that organization will be using your information and who they're sharing it with
in your rights as a patient to revoke the authority and how to do so.
I recently remember reading through one and realized that my name and address and email may be sent to a marketing firm
that firm Mason Me. Sweepstakes Information
Completely unrelated to the care are was receiving.
Many times you're asked to final lying, indicating that you've received this medication as your completing the paperwork.
I recommend not signing that portion until you actually received the notice and read through it.
It's important to decent.
Any sharing of information must be done with clear permission and understanding from the patient.
Next are the data processors.
These are technical people who are involved in implementing the processing systems they may be involved in performing data entry testing or systems development.
Health information is the data collected about a person across the number of treatment services from a number of health care organizations, and the health record is the collection of that health information based on treatment services. It's a record of specific services perform and their results
at the specific time of the treatment.
Clinical research is necessary to establish the safety and effectiveness of specific health and medical products and practices.
HIPPA regulation allows researchers to access and use pH I when necessary to conduct research. However, hip Onley effects research that uses creates or discloses pH I that will be entered into the medical record or will be used for health care services such as treatment,
payment or operations.
The privacy rule places specific emphasis on the authorization that is generally required for research uses and disclosures of pH high by covered entity.
An authorization differs from an informed consent and that an authorization is an individual's permission for covered entity to use or disclose pH I for a certain purpose a research study
and informed consent. On the other hand, is the individuals permission to participate in the research and informed consent provides the research subjects with a description of the study and its risks and or benefits, and how the confidentiality of the record will be protected.
An authorization can be combined with an informed consent but must contain the court elements
and required statements in the privacy Bull.
Please read the supplemental materials for further information relating to the privacy rule requirements for research
in summary. Re reviewed the P I and P H I
data subjects and research as part of regulatory requirement.
Thank you for joining me and I'll see you in the next video.
This HCISPP training provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.