Lecture Electronic health records for allied health careers: Chapter 6 - Susan Sanderson

Chapter 6 - The privacy and security of electronic health information. After studying this chapter, you should be able to: Describe the purpose of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), discuss how the HIPAA Privacy Rule protects patient health information, describe when protected health information can be released without patients’ authorization,…

Copyright © 2009 by The McGraw­Hill Companies, Inc. All Rights Reserved McGraw­Hill

Chapter 6

The Privacy and

Security of Electronic Health

Information

Records for Allied Health Careers

Learning Outcomes

After studying this chapter, you should be able to:

of the Health Insurance Portability and Accountability Act (HIPAA).

information.

patients’ authorization.

information.

Learning Outcomes

After studying this chapter, you should be able to:

places protected health information at greater risks.

health care environment.

health records and a nationwide health information network.

Key Terms

• administrative safeguards

• Administrative

Simplification

• antivirus software

• audit trails

• authentication

• authorization

• availability

• business associates

• clearinghouses

• confidentiality

• covered entities (CEs)

• de-identified health information

• designated record set (DRS)

• disclosure

• electronic protected health information (ePHI)

• encryption

• firewall

Key Terms

• health information

exchange

• health plan

• HIPAA Privacy Rule

• HIPAA Security Rule

• integrity

• intrusion detection system

(IDS)

• minimum necessary

standard

• Notice of Privacy Practices (NPP)

• passwords

• physical safeguards

• protected health information (PHI)

• providers

• role-based authorization

• technical safeguards

• treatment, payment, and operations (TPO)

The Health Insurance Portability and

Accountability Act of 1996 (HIPAA)

• HIPAA is the most significant legislation

affecting health care since Medicare and

Medicaid in 1965.

• Title I of HIPAA = Health Insurance Reform

• Title II of HIPAA = Administrative Simplification

Standards

The Privacy Rule

• Covered entities

– Health plans

– Providers

– Clearinghouses

The privacy Rule

• Business Associates

– not covered entities, but use PHI for business purposes – covered entities must have contracts with Business

Associates stating that they will abide by HIPAA Privacy Rule

The Privacy Rule

• Protected Health Information

– Individually identifiable health information

– Privacy Rule applies to PHI in any form whether it is

communicated and/or maintained verbally, on paper, or electronically

The Privacy Rule

• Minimum Necessary Standard

– Limiting information to minimum PHI necessary for

intended purpose

• Designated Record Set (DRS)

– A group of records that contains PHI; contents depend

on the role of the organization or provider

The Privacy Rule

• Disclosure of Personal Health Information (PHI)

• Release of Information for Purposes Other Than TPO

– An authorization (special permission) must be obtained from the

patient for uses and disclosures other than for TPO.

– Disclosures must be documented and provided to the patient if requested.

– Use and disclosure rules do not apply to de-identified health

information which is information that neither identifies nor

provides a reasonable basis for identification of an individual.

The Privacy Rule

• Notice of Privacy Practices (NPP)

• Rights of Individuals

• HIPAA Enforcement

Threats to the Security of Electronic

Health Information

• The Actions of Individuals

• Environmental Hazards

• Computer Hardware, Software, or Network

Problems

The Security Rule

• Protects the confidentiality, integrity, and

availability of electronic protected health

information (ePHI) of covered entities

The Security Rule

• Administrative Safeguards

– Policies and procedures to protect ePHI

• Physical Safeguards

– Mechanisms to physically protect electronic systems, equipment, and data

• Technical Safeguards

– Automated processes that protect and control access

to ePHI

Privacy and Security Risks of Electronic Health Information Exchange

• Clinical Data Available in Electronic Form

• Portable Computers and Storage Devices

• Problems Not Adequately Addressed by Existing Privacy Laws

– Private Sector Electronic Networks

– Personal Health Records (PHRs)

– Overseas Business Associates

– Multistate Exchange of Data with Different Laws

The Importance of Public Trust

• If people don’t trust that their personal information will be kept confidential, they won’t disclose it; this can lead to a lack of appropriate care.

The Importance of Public Trust

• Public Attitudes Toward the Electronic Use

of Health Information

– Most people believe that the confidentiality of their

medical records is very important

– The majority of people express concern about the

privacy of their information

– Regional or nationwide health information networks will have to be proven to be safe to gain the public’s trust