The Health Insurance Portability and Accountability Act
This section was created to explain what the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is and how it affects everyone working here at Jordan Health Systems including Beth Israel Deaconess - Plymouth.
HIPAA is a piece of legislation covering three areas:
- Insurance Portability
- Fraud Enforcement
- Administrative Simplification Provisions (reduction in health care costs)
The third component, the Administrative Simplification Provision, is considered by many to be the most significant, as it contains two very important rules called the “Privacy Rule” and the “Security Rule”. The Privacy Rule became effective on April 13th, 2003 and the Security Rule became effective on April 20th, 2005.
The main goal of the HIPAA Privacy and Security rules is to protect patient privacy and the confidentiality of ‘protected health information’ (PHI) in paper and electronic form.
The major requirements of the HIPAA Privacy Rule are:
- To restrict the unwarranted disclosure of sensitive personal information
- To give individuals greater control over access to sensitive personal information, including the specific information that can be disclosed, to whom, and for the uses for which it can be used
- To enable providers to use the personal information they need to make treatment decisions and to meet their obligations to patients and regulatory and law enforcement agencies.
Protected health information (PHI) is information that describes the health status of an individual including basic demographics and the use of medical services, and information that either identifies, or can be used to identify, an individual. Examples of PHI include patient name, address, date of birth, social security number, insurance identification number, referral, visit, and claim numbers. PHI also includes all medical record information including but not limited to, tracings, images, specimens and reports that contain patient identifying information.
In other words, PHI is all individually identifiable health information. It can relate to or describe the past, present, or future, physical or mental health or condition of an individual, and includes all health care services provided to that individual. All PHI must be discarded in the ‘shredder bins’ provided by the hospital to assure it’s proper and secure disposal. PHI should never be discarded in a waste basket or trash barrel.
Healthcare professionals are “de-identify” PHI wherever/whenever practicable. Once all the information has been de-identified, the privacy rules place no restrictions on how it may be used or transmitted.
“Minimum necessary” is a privacy standard where the goal is to limit the amount of information used to the absolute minimum necessary to achieve or accomplish the intended purpose of the use, disclosure, or request.
A Business Associate Agreement (BAA) is a contract required by the Privacy Rule between someone doing something for us or on our behalf that involves our patient’s PHI. A BAA contract template is available by contacting a member of the Compliance Department (x. 2007/2009) or Denise Norris (x. 2006).
Patients are required to be given a once per lifetime copy of our organizations Notice of Privacy Practices (NPP) and they must sign an acknowledgement that they received a copy of the NPP the first time they visit our organization after April 2003. Any significant content changes shall require the NPP to be redistributed.
Patients are able to request a restriction on how we use and disclose their information. They can also request an amendment of their medical information, if they feel that information about them is incorrect or inaccurate. Providers do not have to agree to any restriction or amendment request. However, the patient can write their own amendment which becomes an official part of our patient’s medical record. For information regarding restriction requests or medical record amendment requests, contact our Director of Medical Records.
The four major requirements of the Security Rule are to:
- Ensure the confidentiality, integrity, and availability of all electronic PHI that we create, receive, maintain, or transmit
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such data
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy rule
- Ensure compliance with the security rule by the workforce
All health care covered entities including Jordan Health Systems and Beth Israel Deaconess - Plymouth are required to have workforce sanctions for violations of security policies and procedures, have data backup plans and unique user identification access controls, device and media disposal procedures, and person or entity authentication procedures. Our Information Technology Department is responsible for directing and controlling the above noted activities.
The Security Rule is organized in standards and implementation specifications and in general, describes what we must do to protect our data and how to do it. It gives us and our organization the responsibility to accurately assess and manage security risks.
The Security Rule has both ‘required’ standards and specifications as well as ‘optionable’ or ‘addressable’ ones. An example of an addressable standard is whether or not to encrypt electronic PHI transmitted over the Internet and how to implement automatic workstation log-offs.
The Security Rule allows us to take measures to protect our data that are reasonable and appropriate for an organization of our size and complexity, within our cost ability and technical infrastructure’s hardware and software capabilities.
The Security Rule also places a special emphasis on an adoption of a security management process where “accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of PHI” held by us is performed. System access policies and procedures are required in order to ensure access is given only to those in appropriate positions. The Information Technology Department is required to regularly review records of information system activity, such as audit logs, access reports, and security tracking reports.
Please feel free to call or e-mail any of the contacts listed below to discuss any situation related to HIPAA. This includes situations where a patient or an employee’s privacy may have been compromised, questions or concerns about computer system access and/or the security of our data (either paper or computer based) is being questioned.
||Director, Network Infrastructure & Telecom
||Chief Compliance & HIPAA Privacy Officer
||(508) 830-2007 or firstname.lastname@example.org