Regulatory Requirements Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi everybody.
00:00
Welcome back to the HCISPP certification course
00:00
with Cybrary,
00:00
Regulatory Requirements, Part 2.
00:00
My name is Schlaine Hutchins and
00:00
I'll be your instructor for this course.
00:00
In this video, we're going to talk about PII and PHI,
00:00
data subjects and research
00:00
and how these apply to regulatory requirements.
00:00
It's important to understand the definitions of PII,
00:00
personally identifiable information,
00:00
and PHI, protected health information.
00:00
PII is any information that allows
00:00
positive identification of an individual
00:00
such as your name,
00:00
your birth date, your address, or your phone number.
00:00
Protected health information, or PHI,
00:00
is any of those elements that are part of
00:00
the health care and treatment of an individual.
00:00
For example, your name
00:00
and the name of a prescription that you're
00:00
taking or your name and
00:00
the pharmacy where you get your prescriptions filled.
00:00
It's important to note that PII only becomes
00:00
PHI when the information is handled by a covered entity.
00:00
Remember, a covered entity
00:00
is a hospital or a care center,
00:00
a pharmacy, or an insurance plan.
00:00
A pharmaceutical manufacturer is not a covered entity.
00:00
The personal information that they may have
00:00
related to patients who apply for
00:00
discounts on their particular brand of drugs is not
00:00
protected health information under
00:00
HIPAA and it's not
00:00
subject to the same regulatory safeguards,
00:00
although it may be covered under
00:00
state laws with similar protections and consequences.
00:00
To go a little deeper,
00:00
HIPAA defines PHI as 18 different data elements,
00:00
with the 18th element being
00:00
any other unique identifying number,
00:00
characteristic, or code.
00:00
Think about that. When you
00:00
receive data from a covered entity,
00:00
even if it's just one of these elements,
00:00
it is considered PHI and must be
00:00
protected and safeguarded according to HIPAA.
00:00
It could be a list of email addresses or
00:00
even the IP address from where
00:00
a patient logged into their online account.
00:00
Because it's tied to
00:00
a record from a covered entity, it's PHI.
00:00
An unauthorized disclosure of
00:00
this information could be a potential HIPAA data breach.
00:00
The significance here is how
00:00
these elements can be used to tie back to a patient.
00:00
HIPAA was created to protect the dignity of
00:00
US citizens and their health care information.
00:00
Disclosure of personal information may cause
00:00
intrinsic harm simply because that private information is
00:00
known by others and this is according to savor
00:00
our medical research and intangible harm,
00:00
a University of Cincinnati Law Review, 2006.
00:00
Another potential danger is economic harm.
00:00
Individuals could lose their job, their health insurance,
00:00
or housing if the wrong type
00:00
of information becomes public knowledge.
00:00
Consider this story.
00:00
When the HIV/AIDS epidemic broke out,
00:00
the stigma around HIV&AIDS was very
00:00
negative and harmful to those who contracted the virus.
00:00
Over the next several years,
00:00
more education was provided about the virus and
00:00
the auto-immune disease that could result afterwards.
00:00
New drugs have been developed to extend the lives of
00:00
those with the virus and
00:00
halt the progression of the disease.
00:00
Insurance plans begin to
00:00
cover some of those drugs for patients.
00:00
One insurance company, Aetna,
00:00
in 2017, used the vendor to send letters to its members.
00:00
The envelope used by the vendor contained
00:00
a window to display the recipient's name and address.
00:00
The window, however, was large
00:00
enough that the first few lines
00:00
of the information could be viewed.
00:00
That information indicated that the patient
00:00
was taking HIV medication,
00:00
12,000 of those letters were mailed.
00:00
Anyone who handle that letter
00:00
could view the information;
00:00
the mail carrier, a neighbor picking up the mail,
00:00
a family member who was unaware.
00:00
This was a data breach.
00:00
Any information that can be tracked back to
00:00
an individual person is
00:00
considered protected health information.
00:00
Aetna settled the Pennsylvania lawsuit for
00:00
$17 million and $365,000 civil penalty to settle
00:00
the claims for $100,000 in Connecticut and
00:00
$175,000 in DC for a total of $640,000 in civil suits.
00:00
Aetna then filed a $20 million lawsuit
00:00
seeking damages from the vendor.
00:00
The exposure of health care information
00:00
of prominent citizens and
00:00
public figures in the United States
00:00
prompted the legislation that led to HIPAA.
00:00
With the onset of the Internet and
00:00
its population of attackers who
00:00
seek either monetary gain,
00:00
notoriety, or both,
00:00
has made the challenge for protecting
00:00
the information even greater.
00:00
The reality is that health information is worth
00:00
more to an attacker than most other kinds of information.
00:00
According to an article on FearsHealthCare.com,
00:00
the number of patient records
00:00
breached nearly tripled in 2019.
00:00
Over 41 million patient records were breached in 2019
00:00
with a single hacking incident
00:00
affecting close to 21 million records.
00:00
Responsibility for protecting PHI
00:00
within an organization are complex.
00:00
Here are a few responsible parties.
00:00
The data controller or manager is
00:00
the senior person in charge of
00:00
managing the data systems used in capturing,
00:00
storing, or analyzing the PHI of
00:00
patients under the care of the organization.
00:00
They're responsible for maintaining
00:00
the integrity of the data system and
00:00
authorizing access of internal and external users
00:00
to the system and the PHI.
00:00
The data custodian is responsible
00:00
for the maintenance and integrity of the data system,
00:00
software, and hardware that house and process the data.
00:00
They keep the systems updated, backed up,
00:00
and monitor network activity
00:00
for potential vulnerabilities.
00:00
There are two types of data owners.
00:00
The person to whom the data actually
00:00
pertains to, the patient.
00:00
The patient has final determination for how
00:00
the data is used and to whom the data can be disclosed.
00:00
The second is the health care organization
00:00
that provides the treatment or services.
00:00
They have ownership of the health record for
00:00
the legally specified time period
00:00
after treatment has ended.
00:00
Have you had an appointment recently?
00:00
Were you provided a HIPAA privacy statement
00:00
or pamphlet or
00:00
directed to read the HIPAA privacy statement
00:00
post it somewhere in the office?
00:00
If not, pay attention the
00:00
next time you go to the dentist or to the eye doctor.
00:00
You should always receive
00:00
a copy of those privacy statements.
00:00
They tell you how that organization will
00:00
be using your information and who they are
00:00
sharing it with and your rights as
00:00
a patient to revoke the authority and how to do so.
00:00
I recently remember reading through one and realized that
00:00
my name and address and email
00:00
may be sent to a marketing firm,
00:00
that firm may send me sweepstakes information,
00:00
completely unrelated to the care I was receiving.
00:00
Many times, you're asked to
00:00
sign a line indicating that you've
00:00
received this medication as
00:00
you're completing the paperwork.
00:00
I recommend not signing that portion until you
00:00
actually receive the notice and read through it.
00:00
It's important to do so.
00:00
Any sharing of information must be done with
00:00
clear permission and understanding from the patient.
00:00
Next are the data processors.
00:00
These are technical people who are
00:00
involved in implementing the processing systems.
00:00
They may be involved in performing data entry,
00:00
testing, or systems development.
00:00
Health information is the data collected
00:00
about a person across a number of treatment services
00:00
from a number of healthcare organizations
00:00
and the health record
00:00
is the collection of
00:00
that health information based on treatment services.
00:00
It's a record of specific services
00:00
performed and the results
00:00
or interpretations at the specific time of the treatment.
00:00
Clinical research is necessary
00:00
to establish the safety and
00:00
effectiveness of specific health
00:00
and medical products and practices.
00:00
HIPAA regulation allows researchers to
00:00
access and use PHI when necessary to conduct research.
00:00
However, HIPAA only affects research that uses, creates,
00:00
or discloses PHI that will be entered into
00:00
the medical record or will be used
00:00
for health care services such as treatment,
00:00
payment, or operations.
00:00
The privacy rule places
00:00
specific emphasis on the authorization that is
00:00
generally required for research uses
00:00
and disclosures of PHI by covered entity.
00:00
An authorization differs from
00:00
an informed consent and that an authorization is
00:00
an individual's permission for a covered entity to use or
00:00
disclose PHI for a certain purpose, a research study.
00:00
An informed consent, on the other hand,
00:00
is the individual's permission to
00:00
participate in the research.
00:00
Informed consent provides the research
00:00
subjects with a description of the study
00:00
and its risks and/or benefits and
00:00
how the confidentiality of the record will be protected.
00:00
An authorization can be
00:00
combined with an informed consent,
00:00
but must contain the core elements
00:00
and required statements in the privacy rule.
00:00
Please read the supplemental materials for
00:00
further information relating to
00:00
the privacy rule requirements for research.
00:00
In summary, we reviewed the PII and PHI,
00:00
data subjects, and
00:00
research as part of regulatory requirements.
00:00
Thank you for joining me
00:00
and I'll see you in the next video.
Up Next
