PIPA stands for the Health Insurance Portability and Accountability Act its original purpose was to protect people from losing their health insurance if they change jobs or have pre-existing health conditions HIPAA has been expanded over the years to also help reduce the cost and administrative burdens of healthcare transactions and most recently to develop standards and requirements to protect the privacy and security of personal health information its HIPAA privacy and security rules that we'll cover here Hypno's privacy and security rules require healthcare organizations to adopt processes and procedures to ensure the highest degree of patient confidentiality it makes sense patients desire their information to be secure and rely on you to keep it safe and confidential personal health information or pH I can be created stored or transmitted in many formats through verbal conversations written documents over computer software or hardware and in various other forms all require security and confidentiality measures to be implemented pH I may include anything in the patient health records such as lab results medical history images and more it also includes other patient information like names birth dates social security numbers email addresses and other information that can be used to create identity theft it seems like every day we hear about another data breach keeping patient information safe is what HIPAA governs and what you are responsible to protect a covered entity under HIPAA may not use or disclose protected health information unless a patient authorizes its disclosure in writing however we may disclose protected health information without an individual's authorization for any of the following purposes or situations one to any individual that has been authorized by the patient to for treatment payment or general healthcare operations or three if the individual has the opportunity to agree or object to a disclosure for example when the patient brings another patient into the exam room in addition all practices are required to provide patience with a notice of privacy practices npp it is a best practice to make a good-faith effort to obtain a patient's written acknowledgement of receiving the notice the NPP must inform patients of the uses and disclosures of P H I that the practice may make and define the patient's right to access and amend their medical information except in certain circumstances individuals have the right to review and obtain a copy of their protected health information you may impose reasonable fees for the cost of copying and fulfilling the patient's request when you disclose P H I you must use the minimum necessary information to accomplish the purpose of the disclosure or request practices must identify each employee who needs access to phi2 carry out their job and P H I should be limited to a need-to-know basis for non employees you must limit the amount P H I of what is needed to accomplish the work you should also rely on ethics and your best judgment in deciding whether to disclose protected health information the HIPAA Security Rule requires covered entities to implement administrative physical and technical safeguards to ensure that medical information is stored transmitted and received in a safe and secure manner administrative safeguards require practices to create and maintain updated policies and procedures for employees to learn and follow to help maintain the security of P H I some examples of administrative safeguards include acceptable use policies to help train employees on their access rights and responsibilities with handling P H I sanction policies are needed to discipline employees who violate HIPAA law information access policies grant appropriate access to computer workstations health records and transactions and other programs or processes security awareness training must be implemented so employees are trained and reminded of policies and procedures relating to software updates computer login monitoring password updates and other key security measures and contingency planning so adequate preparation policies and procedures are in place in order to respond to an emergency for example if there is a fire vandalism or other natural disaster an incident and emergency response plan must be created tested and revised and all critical activities must have a designated owner technical safeguards require practices to implement procedures and the right software and equipment to protect pH I practices must implement technical policies and procedures to allow access to only those people who need access to do their jobs practices should incorporate encryption and decryption in backing up restoring and transmitting electronic patient information and policies and procedures must be set up to destroy pH I when it is no longer necessary to fulfill a job or function physical safeguards must be implemented to protect the location and devices within your practice facility access controls must be created and all access must be monitored it's important that you understand and monitor who is accessing the practice and security measures are put in place prior and after a potential incident to help administer these safeguards HIPAA requires that every practice designate a HIPAA security and HIPAA privacy officer the designee can be the same person if appropriate the HIPAA security and privacy officers play key roles in leading the implementation and training of HIPAA requirements for your practice HIPAA is enforced by the Office of Civil Rights a division of the Health and Human Services penalties can be up to $50,000 per penalty per violation and increase up to 1.5 million dollars per identical penalty or willful neglect in any calendar year civil and criminal penalties may apply depending on the offense in addition with the enactment of Hippos omnibus rule in September 2013 covered entities were expanded to include your business associates which include auditors consultants IT companies and others with whom you have agreements involving the use of protected health information that means when a doctor takes notes in a medical chart or an assistant data enters health information into a report or online program discussing a patient's condition any entity that also is in contact with this in nation is now governed under HIPPA HIPAA requires that updated business associates agreements are executed between the practice and all business associates it's important you do everything necessary to protect your patients private information and to comply with the HIPAA Security and Privacy rules the practices reputation is at risk if you violate HIPAA law or if patient information is compromised penalties can be devastating and it's your duty to contribute to a commitment of developing a culture of compliance and data security for your practice if you see any suspicious activity please report it to your supervisor as soon as possible thank you for participating in today's HIPAA training please followup with your supervisor if you have any additional questions you [Music]