HCISPP

Course
New
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hi, everybody. Welcome back to the Hcs PP Certification course with Sai Buri Regulatory requirements. Part two.
00:09
My name is Charlene Hutchins and I'll be your instructor for this course.
00:15
In this video, we're going to talk about P I I
00:19
and PH I
00:20
data subjects and research and how these applied to regulatory requirements.
00:29
It's important to understand the definitions of P I. I personally identifiable information
00:36
and P h. I protected health information.
00:40
P I is any information that allows positive identification of an individual such as your name, your birth date, your address or your phone number,
00:52
protected health information, or pH. I is any of those elements that are part of the health care and treatment of an individual,
01:00
for example, your name and the name of a prescription that you're taking
01:06
for your name
01:07
and the pharmacy where you get your prescriptions filled.
01:11
It's important to note that p I I on Lee becomes pH I
01:15
when the information is handled by a covered entity.
01:19
Remember, a covered entity is a hospital or care center,
01:25
a pharmacy
01:26
or an insurance plan.
01:27
A pharmaceutical manufacturer
01:30
is not a covered entity.
01:34
The personal information that they may have related to patients will apply for discounts for your particular brand of drugs is not protected health information under hip hop.
01:47
And it's not subject to the same regulatory safeguards, although
01:52
it may be covered under state balls with similar protections and consequences
02:00
did a little deeper.
02:00
Hebert defines PH. I as 18 different data elements, with the 18 element being
02:07
any other unique identifying number, characteristic or code.
02:14
Think about that
02:15
when you received data from a covered into.
02:19
Even if it's just one of these elements,
02:22
it is considered pH I and must be protected and safeguarded. According to Hip.
02:28
It could be a list of email addresses or even the I P address from where a patient logged into their online accounts.
02:36
Because it's a tight because it's tied to a record from a covered entity. It's ph. I.
02:42
An unauthorized disclosure of this information could be a potential HIPPA data breach.
02:47
The significance here is how these elements could be used to tie back to a patient.
02:53
Hippo was created to protect the dignity of U. S citizens and their health care information.
03:00
Disclosure of personal information may cause intrinsic harm simply because that private information is known by others,
03:08
and this is according to savor our medical research
03:13
an intangible harm. Ah University of Cincinnati Law Review 2006.
03:20
Another potential danger is economic harm.
03:23
Individuals could lose their job, their health, insurance or housing. If the wrong type of information becomes public knowledge.
03:30
Consider this story.
03:32
When the HIV AIDS epidemic broke out, the stigma around HIV and AIDS was very negative and harmful to those who contracted the virus.
03:43
Over the next several years, more education was provided about the virus and the auto immune disease that could result afterwards.
03:52
New drugs have been developed to extend the lives of those with the virus and halt the progression of the disease.
03:59
Insurance plans begin to cover some of those drugs for patients.
04:03
One insurance company,
04:04
Aetna
04:05
in 2017
04:08
use the vendor to send letters to its members.
04:11
The envelope used by the vendor contained a window to display the recipients name and address.
04:17
The window, however,
04:18
was large enough that the first few lines of the information could be viewed.
04:25
That information indicated that the patient was taking HIV medication.
04:30
12,000 of those letters were mailed.
04:33
Anyone who handle that letter could view the information. The mail carrier, a neighbor picking up the mail, a family member who was unaware
04:44
this was a data breach.
04:46
Any information that can be tracked back to an individual person is considered protected health information.
04:54
Atma settled a Pennsylvanian lawsuit for $17 million in $365,000 civil penalty to settle the claims for AH $100,000
05:08
UH, in Connecticut and $175,000 in D. C for a total of $640,000 in civil suits.
05:17
Aetna then filed a $20 million lawsuit seeking damages from the vendor.
05:28
The exposure of health care information of prominent citizens and public figures in the United States prompted the legislation that led to HIPPA
05:36
with the onset of the Internet
05:40
and its population of Attackers who seek either monetary gain. Notoriety or bow
05:46
has made the challenge for protecting the information even greater.
05:49
The reality is that health information is worth more toe on attacker than most other kinds of information,
05:58
according to an article on fears healthcare dot com,
06:01
the number of patient records breached nearly tripled in 2019
06:08
over 41 million patient records were breached in 21 19 with a single hacking incident affecting close to 21 million records.
06:18
Responsibility for protecting Ph I within an organisation are complex.
06:24
Here are a few responsible parties.
06:27
The data controller or manager is the senior person in charge of managing the data systems used in capturing story or analyzing the pH I of patients under the care of the organization.
06:40
They're responsible for maintaining the integrity of the data system and authorizing access of internal and external users to the system
06:49
And the pH. I.
06:51
The data custodian, is responsible for the maintenance and integrity of the data system, software and hardware that house and process the data.
07:00
They keep the systems update it backed up and monitor network activity for potential vulnerabilities.
07:09
There are two types of data owners.
07:12
The person to whom the data actually pertains to the patient.
07:15
The patient has final that determination for how the data is used and to whom the data can be disclosed,
07:23
and the second is the health care organization that provides the treatment our services.
07:28
They have ownership of the health record for the legally specified time period after treatment has ended.
07:35
Have you had an appointment recently?
07:40
Were you provided a HIPPA privacy statement or pamphlet or directed to read the hip of privacy statement posted somewhere in the office?
07:47
If not,
07:48
pay attention the next time you go to the dentist or to the idea
07:54
you should always receive a copy of those privacy statements.
07:57
They tell you how that organization will be using your information and who they're sharing it with
08:03
in your rights as a patient to revoke the authority and how to do so.
08:09
I recently remember reading through one and realized that my name and address and email may be sent to a marketing firm
08:16
that firm Mason Me. Sweepstakes Information
08:20
Completely unrelated to the care are was receiving.
08:24
Many times you're asked to final lying, indicating that you've received this medication as your completing the paperwork.
08:31
I recommend not signing that portion until you actually received the notice and read through it.
08:37
It's important to decent.
08:39
Any sharing of information must be done with clear permission and understanding from the patient.
08:46
Next are the data processors.
08:50
These are technical people who are involved in implementing the processing systems they may be involved in performing data entry testing or systems development.
09:01
Health information is the data collected about a person across the number of treatment services from a number of health care organizations, and the health record is the collection of that health information based on treatment services. It's a record of specific services perform and their results
09:20
or interpretations
09:20
at the specific time of the treatment.
09:28
Clinical research is necessary to establish the safety and effectiveness of specific health and medical products and practices.
09:35
HIPPA regulation allows researchers to access and use pH I when necessary to conduct research. However, hip Onley effects research that uses creates or discloses pH I that will be entered into the medical record or will be used for health care services such as treatment,
09:54
payment or operations.
09:56
The privacy rule places specific emphasis on the authorization that is generally required for research uses and disclosures of pH high by covered entity.
10:09
An authorization differs from an informed consent and that an authorization is an individual's permission for covered entity to use or disclose pH I for a certain purpose a research study
10:22
and informed consent. On the other hand, is the individuals permission to participate in the research and informed consent provides the research subjects with a description of the study and its risks and or benefits, and how the confidentiality of the record will be protected.
10:41
An authorization can be combined with an informed consent but must contain the court elements
10:48
and required statements in the privacy Bull.
10:50
Please read the supplemental materials for further information relating to the privacy rule requirements for research
11:01
in summary. Re reviewed the P I and P H I
11:05
data subjects and research as part of regulatory requirement.
11:11
Thank you for joining me and I'll see you in the next video.

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor