HIPAAOutlineAn ActGeneral ObjectivesEven More General ObjectivesGeneral Objectives for InformationDynamically HIPAASlide 9What HIPAA Directly AffectsSecurity RegulationsContingency PlanAccess ControlAudit ControlPerson or Entity AuthenticationSecurity Regulations Wrap-upPrivacy RulePrivacy Rule (cont)Slide 19Slide 20Slide 21Slide 22Limited Data SetsSlide 24Slide 25Slide 26Slide 27Slide 28Privacy StandardsMinimum NecessaryDisclosures to Business AssociatesDisclosures to Business Associates (cont)Whistleblower ProtectionWhistleblower Protection (cont)Research Privacy RulesResearch Privacy Rules (cont)Slide 37Requirements of AuthorizationsDept. of Health and Human Services (HHS)Punishments for Wrongful Use or Disclosure of PHISlide 41TechnologiesASPsASPs and HIPAAVPNsBiometricsInformation Lifecycle ManagementSlide 48Dates of ComplianceEffectsEffects (cont)Slide 52Cases in which HIPAA caused problemsCases in which HIPAA caused problems (cont)Life Insurance, Disability Insurance, and Workers CompPossible detrimental effects on:Problem to considerSlide 58HIPAAHIPAAHealth Insurance Portability Health Insurance Portability and Accountability Act of and Accountability Act of 19961996Adam CushnerAdam CushnerOutlineOutlineOverview of HIPAAOverview of HIPAASpecifics of HIPAASpecifics of HIPAASuggestions for implementationSuggestions for implementationEffectsEffectsProblemsProblemsQuestionsQuestionsAn ActAn ActTo amend the Internal Revenue Code of 1986 To amend the Internal Revenue Code of 1986 to improve portability and continuity of to improve portability and continuity of health insurance coverage in the group and health insurance coverage in the group and individual markets, to combat waste, fraud, individual markets, to combat waste, fraud, and abuse in health insurance and health and abuse in health insurance and health care delivery, to promote the use of medical care delivery, to promote the use of medical savings accounts, to improve access to long-savings accounts, to improve access to long-term care services and coverage, to simplify term care services and coverage, to simplify the administration of health insurance, and the administration of health insurance, and for other purposes.for other purposes.Signed by President Bill Clinton on July 21, Signed by President Bill Clinton on July 21, 19961996Named because it was originally about, Named because it was originally about, well, the portability of health insurance. well, the portability of health insurance. Focus, however, is on privacy of medical Focus, however, is on privacy of medical recordsrecordsPassed partly because of the failure of Passed partly because of the failure of congress to pass comprehensive health congress to pass comprehensive health insurance legislation earlier in the decadeinsurance legislation earlier in the decadeGeneral ObjectivesGeneral ObjectivesIncrease number of employees who Increase number of employees who have health insurancehave health insuranceReduce health care fraud and abuseReduce health care fraud and abuseIntroduce/implement administrative Introduce/implement administrative simplifications in order to augment simplifications in order to augment effectiveness of health care in the USeffectiveness of health care in the USProtect the health information of Protect the health information of individuals against access without individuals against access without consent or authorizationconsent or authorizationEven More General Even More General ObjectivesObjectivesGive patients more rights over their Give patients more rights over their private dataprivate dataSet better boundaries for the use of Set better boundaries for the use of medical informationmedical informationHold people accountable for misuseHold people accountable for misuseEncourage administrative Encourage administrative simplification (in the form of simplification (in the form of digitalization of information) to help digitalization of information) to help reduce costsreduce costsGeneral Objectives for General Objectives for InformationInformationEnsure privacy and security of health Ensure privacy and security of health information by designating Protected information by designating Protected Health Information (PHI)Health Information (PHI)–PHI, for example, must be treated in the PHI, for example, must be treated in the same way in which you would treat same way in which you would treat someone’s tissue (with regard to someone’s tissue (with regard to Privacy)Privacy)Set standard for data using Set standard for data using Electronic Data Interchange (EDI)Electronic Data Interchange (EDI)Dynamically HIPAADynamically HIPAAHIPAA’s goals, in a sense, are aimed HIPAA’s goals, in a sense, are aimed to hit a moving target:to hit a moving target:–Technologies to help implement HIPAA Technologies to help implement HIPAA are constantly changingare constantly changing–Attitudes towards privacy are changingAttitudes towards privacy are changing–Also, not much empirical evidence to Also, not much empirical evidence to show if HIPAA is doing what it set out show if HIPAA is doing what it set out to do (e.g. reduce costs)to do (e.g. reduce costs)OutlineOutlineOverview of HIPAAOverview of HIPAASpecifics of HIPAASpecifics of HIPAASuggestions for implementationSuggestions for implementationEffectsEffectsProblemsProblemsQuestionsQuestionsWhat HIPAAWhat HIPAADirectly Directly AffectsAffectsCovered EntitiesCovered Entities–Health plansHealth plans–Health care clearinghousesHealth care clearinghouses–Health care providers who transmit health Health care providers who transmit health information in electronic form for certain information in electronic form for certain standardstandardPending ideas:Pending ideas:–National Provider IDsNational Provider IDs–National Employer IDsNational Employer IDs–National Health Care IDsNational Health Care IDs–National Individual IDsNational Individual IDsSecurity RegulationsSecurity RegulationsContingency PlanContingency PlanAccess ControlAccess ControlAudit ControlAudit ControlPerson or Entity AuthenticationPerson or Entity AuthenticationContingency PlanContingency Plan(A) Data backup plan. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan. Establish (and implement as needed)