Get certified in HIPAA for Leaders for just $49.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
To help you understand the HIPAA terminology, we will go through some basic definitions. HIPAA stands for Health Insurance Portability and Accountability Act of 1996. HITECH stands for Health Information Technology for Economic and Clinical Health Act of 2009. The goal of HITECH is to promote the adoption and meaningful use of health information technology and significantly expands the HIPAA privacy rule and security standards and adds new requirements concerning privacy and security of PHI. PHI is Protected Health Information and it deals with a patient’s personal information. ePHI is electronic Protected Health Information such as personal health information stored and transmitted electronically. Examples are faxes, emails, data backup and cloud providers, patient portals, removable media, and secure texting. All of this data must be encrypted at rest and in transit. A Business Associate is anybody that supports the healthcare industry and performs functions or activities in support of a covered entity. Per the HITECH regulation, business associates are now legally required to be compliant with the HITECH rule. They are also financially liable for data breaches caused by their organization or employees. Business Associates are now required to have a risk assessment, just like a covered entity, including training and books of evidence. A Risk Assessment is a set of government mandated questions to help you identify your gaps in risk not only to your business but also to a covered entity. We must also have a risk report with a roadmap to resolution. There are 3 sections of questions: Administrative, Technical, and Physical which include standard, required, and addressable questions. The standard questions measure a covered entity to ensure the confidentiality, integrity, and availability of ePHI while in the custody of covered entities and business associates. Covered entities and business associates must comply with the applicable Standards provided in the Security Rule with respect to all ePHI. Required means that it must be implemented by the covered entity or business associate. Addressable was developed to provide covered entities additional flexibility with respect to compliance with the security standards. However, “addressable” does not mean “optional.” You must determine the level of risk to PHI and address it to ensure it is reasonable and appropriate security measures are applied. A Book of Evidence is the customized book of policies and procedures you are required to create and explains how you handle PHI and ePHI. This includes data breach notifications, disaster recovery policies, and privacy and patient policies. Privacy Policy explains how a covered entity and business associate handle all PHI. As a covered entity you are required to provide your patients with a copy of your privacy policy upon request. Business Associates must be able to provide their privacy policy to their internal employees, external companies, which we call downstream suppliers, and for government audits.
This lesson is all about learning some important definitions to better help you understand HIPAA terminology. There will, of course, be a little repetition.
Health Insurance Portability and Accountability Act of 1996.
Health Information Technology for Economic and Clinical Health Act of 2009.
Pro Tip #1: The goal of HITECH is to promote the adoption and meaningful use of health information technology and significantly expand the HIPAA privacy rule and security standards as new requirements concerning privacy and security of PHI are enacted.
Protected Health Information (patients’ personal and medical information).
Electronic Protected Health Information.
This includes all personal health information that is stored, and/or transmitted, electronically. Common examples of ePHI include:
Whether the health information is being stored or transmitted, it must be encrypted first.
Any person or organization that supports the healthcare industry in some fashion and performs functions and activities in support of a covered entity.
Per HITECH regulations, business associates are now legally required to be compliant with the HITECH Act. This includes assuming financial liability for any and all data breaches caused by their organization or employees.
All business associates are required to have:
A set of government mandated questions to help organizations identify gaps in risk, to their organization and to the covered entities they serve. This includes a risk report with a road map to resolving any potential problems.
There are three sections on a risk assessment along with three types of questions.
Standard questions measure a covered entity to ensure confidentiality, integrity, and availability of ePHI, while in the custody and care of covered entities and/or business associates.
Pro Tip #2: Covered entities and business associates must comply with the applicable standards provided in the Security Rule with respect to all ePHI.
Required questions are those that must be implemented by covered entities and/or business associates.
Addressable questions, while not optional, do provide covered entities some additional flexibility with respect to compliance with the security standard.
All organizations must determine their level of risk to PHI. If a risk is deemed reasonable, appropriate security measures will need to be applied.
The Book of Evidence is a customized book of policies and procedures that all organizations are required to create. The Book of Evidence illustrates how that organization handles all PHI and ePHI. This includes:
A privacy policy explains how covered entities and business associates handle PHI. All covered entities are required by law to provide patients with a copy of their privacy policy upon request.
Business associates must also be able to provide their privacy policies to both internal employees and external companies – also known as downstream suppliers – and for government audits.
The disposal of all protected health information (PHI) comes with its own set of requirements set forth by the HIPAA Privacy and Security Rules. These are steps that covered entities take when they dispose of PHI.
Health and Human Services encourages all covered entities to consider the steps that other prudent healthcare organizations and health information professionals are taking to protect patient privacy in connection with record disposal.