Supplemental HIPAA Training for Better Health Partnership Staff
Consequences of HIPAA Non-compliance
HIPAA Rules and Standards
What to do with PHI you receive or find
How to identify PHI
This training, along with The MetroHealth System annual online education, is for Better Health Partnership (BHP) staff who use or receive Protected Health Information (PHI) while doing BHP functions.
Access to Better Health Partnership members' data is limited to designated BHP data team staff who are trained in the proper management of protected health information.
If you have problems, questions, or comments contact Keith Hagans
CONSEQUENCES OF HIPAA NON-COMPLIANCE
Health Insurance Portability and Accountability Act non-compliance can lead to business disruption, productivity losses, fines, penalties, and settlement costs (including legal defense and corrective action plans). Although there is no single cost of non-compliance, the many known costs a healthcare organization can incur add up.
Fines for a breach can range from $100 to $50,000 per violation (or per record.) The maximum fine for a breach is $1,500,000 in one year. This does not include multiple breaches.
It is important to make sure that BHP is always HIPAA compliant. All HIPAA breaches are threats, some are more common than others.
HIPAA Rules and Standards
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what is commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. You need to be aware these rules exist and what they were created for. These rules are very detailed. This is a description of each rule.
The Security Rule mandates the security of electronic medical records (EMR). Unlike the Privacy Rule, which provides broader protection for all formats that health information may take, such as print or electronic information, the Security Rule addresses the technical aspects of protecting electronic health information. More specifically, the HIPPA Security standards address these aspects of security:
• Administrative security - assignment of security responsibility to an individual
• Physical security - required to protect electronic systems, equipment, and data
• Technical security - authentication & encryption used to control access to data.
The Privacy Rule mandates the protection and privacy of all health information. This rule specifically defines the authorized uses and disclosures of "individually-identifiable" health information. This is the most complex rule, setting requirements for how PHI, in any form or medium, should be controlled.
The Minimum Necessary Standard prevents the sharing of too much information. The minimum amount of data that is required for the data set must be used. Data that is not vital for the purpose should be removed.
What is Protected Health Information (PHI)
Protected Health Information (PHI) is information that can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. When personally identifiable information is used in conjunction with one’s physical or mental health or condition, health care, or one’s payment for that health care, it becomes PHI. PHI contains Personally Identifiable Information (PII), Electronic Protected Health Information (ePHI) with other formats of health information. Past, current, and future health information is PHI. PHI is:
• Physical records
• Electronic records
• Spoken information
If you receive or find PHI on any electronic device, please record when you received it and who sent it to you. If you are not sure the information contains PHI, contact Keith Hagans at Better Health Partnership for a review of the information.
If you find physical PHI, put it in a locked bin designated for the removal of PHI. Do not throw it away or tear it into small pieces! If you can reconstruct data containing PHI, it is not compliant!
How to Identify PHI
These are the 18 HIPAA Identifiers that are considered personally identifiable information. A limited data set (LDS) is determined by these identifiers. An LDS has PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
• Names
• Postal address information, other than town or city, State, and zip code
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health-plan beneficiary numbers
• Account numbers
• Certificate and license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifies including fingerprints and voice prints
• Full-face photographic images and any comparable image
If a data set contains any of these identifiers the data is to be considered “identifiable”. To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all PHI data. The ONLY exception to this rule is if you are creating a report or dashboard for one of our partner systems. You may include PHI in this BUT only their own PHI. All other PHI data MUST be aggregated and considered the "region". Releasing any PHI data other than theirs is a violation.
ALL transfers of data must be done via the Better Health Partnership Secure Portal. Email is not acceptable under any circumstance.