Health Insurance Portability and Accountability Act (HIPAA) – Health Care Law (Nursing)

00:01 Welcome back everyone.

00:03 When patients are in our care, they become vulnerable and risks to their privacy exists.

00:08 As patient advocates, it's our responsibility to ensure we protect them.

00:13 One way to protect their personal information is under the Health Insurance Portability and Accountability Act.

00:20 The Health Insurance Portability and Accountability Act or HIPAA was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and the healthcare insurance industry should be protected from fraud and theft and to address limitations on healthcare insurance coverage.

00:41 As the name implies, Personally Identifiable Information of PII is any data that can identify a person.

00:50 Certain information like full name, date of birth, address, and biometric data are always considered as PII.

00:57 Although it doesn't explicitly address personally identifiable information, HIPAA regulate situations like this under the term, Protected Health Information (PHI).

01:06 PHI includes anything used in the medical context that can identify patients, such as: their name, address, birthday, credit card number, driver's license or the medical record number.

01:20 Now there are 5 HIPAA rules.

01:22 HIPAA Privacy rule, HIPAA Security rule, the Breach Notification rule, the Omnibus rule and the Enforcement rule.

01:33 The HIPAA Privacy Rule.

01:35 This rule dictates how, when and under what curcumstances PHI can be used and disclosed.

01:41 It applies to all healthcare organizations clearinghouses and entities that provide health plans.

01:47 It sets limits regarding the use of patient information when no prior authorization has been given by the patient.

01:54 It also mandates patients and their representatives have the right to obtain a copy of their health records and request corrections to errors.

02:02 Now covered entities have 30 days to respond to these types of requests.

02:07 The HIPPAA Security Rule.

02:09 This sets the minimum standards to safeguard electronic PHI.

02:14 Anyone who can access, create, alter or transfer electronic PHI must follow these standards.

02:21 The HIPPAA Security rule has 3 safeguards: Techinal safeguards include encryption - if the data goes outside the company's firewall.

02:30 It has physical safeguards which may relate to the layout of work stations, for example, screens can't be seen from the public area.

02:38 And administrative safeguards.

02:40 This requires a security officer and a privacy officer to conduct regular risk assessments and audits.

02:47 Now these assessments aim to identify any ways in which the integrity of PHI is threatened and build a risk management policy off the back of this.

02:57 The Department of Health and Human Services must be notified if a data breach has been discovered.

03:04 So the Breach Notification Rule.

03:05 Notification must be within 60 days of the breach's discovery for incidents involving 500 or more individuals.

03:13 Notification must be within 60 days of the end of the calendar year in which the breach was experienced for breaches of fewer than 500 records.

03:22 And individuals whose personal information has been compromised must also be informed within 60 days.

03:29 If greater than 500 patients were affected in a particular jurisdiction, a media notice must be issue to a prominent news outlet servinig that area, The Omnibus Rule.

03:41 This extends HIPAA coverage to business associates.

03:44 It prohibits use of PHI for marketing or fund raising purposes without authorization.

03:49 And it outlines new penalty tiers for violations of HIPAA.

03:54 The Enforcement Rule.

03:56 Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out.

04:02 Once the level of negligence has been determined, appropriate fines can be issued.

04:07 HIPAA covered entities are required to implement safeguards to ensure the confidentiality, integrity and availability of electronic PHI.

04:16 Arguablyone of the most important safeguards, is encryption.

04:19 Especially on portable devices such as laptop computers that are frequently taken off site Also, passwords Record retention Violation reporting Common HIPAA violations include: Risk analysis features Risk management features Lack of encryption or alternative safeguards Security awareness training failures Improper disposal of PHI Impermissible disclosures to PHI Failure to adhere to to the minimum necessary standard Failure to provide patients with copies of PHI on requests Failure to issue breach notifications promptly.

05:02 So remember, compliance with HIPAA si an ongoing exercise.

05:07 So in thinking of everything we've covered today, I'd like you to consider this question, What are 4 security requirement for electronic PHI under HIPAA? They are encryption, passwords, record retention, and violation reporting.

05:30 I hope you've enjoyed today's video on HIPAA Thanks so much for watching.