Overview
PRIVACY
CONFIDENTIALITY
SECURITY
AUTHORIZATION/CONSENT
CONSENT: IMPLIED/EXPRESSED
“MINIMUM NECESSARY RULE” AND “NEED TO KNOW BASIS”
NOTICE OF PRIVACY PRACTICES
HIPAA Privacy Rule
Effective Date: April 14, 2003
OCR: oversees HIPAA privacy compliance.
CMS oversees HIPAA security compliance.
PHI: Protected Health Information
Covered Entity (CE)
Business Associate (BA)
Relationship with Health Information
Applicability
De-identification
HIPAA Security Rule
Applicability
Safeguards:
-Administrative: Examples. -Policies and Procedures, and Documented Processes
-Physical: Examples. -Positioning of Computers Screens Preventing Public Views, Locks,
-Technical: Examples. -Passwords, PINs, Firewalls, Software Updates
Contracts must be in place.
The Omnibus Final Rule
563 pages long
Effective Date: March 26, 2013
Compliance Date for HIPAA CEs and BAs: September 23, 2013
Enhancements: consumers privacy protections
Understanding Breaches
Chatting about consumers in public places (Cafeteria, elevators, lobby, waiting area)
Social networks: Facebook (Meta), LinkedIn, Twitter, etc...
Portable devices: Cell phones, laptop, flash drive, …
Emails: Encryption/Decryption (Phishing)
Fax: Security policies
Phone: Voicemails
Breach of Confidentiality
Breach of Privacy
HIPAA Violation and Minimum Civil Penalty
Reasonable Diligence, (did not know)
Reasonable Cause
Willful Neglect, (violation is corrected)
Willful Neglect, (violation is not corrected)
"Adjustments to CMP amounts for 2022 For violations on or after November 3, 2015
Penalty Amount Per Violation: $127 - $63,973* per violation
Calendar Year Cap for Violation of Identical Requirement or Prohibition: $25,000 - $1,919,173***
The Department of Health and Human Services may make annual adjustments to the CMP amounts pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015. The annual inflation amounts are found at 45 CFR § 102.3.
**Pursuant to HHS's Notification of Enforcement Discretion, https://www.federalregister.gov/documents/2019/04/30/2019-08530/enforcement-discretion-regarding-hipaa-civil-money-penalties"
Criminal Penalties
Fines (up to $250,000),
Imprisonment (up to 10 years)
Direct Liability: Covered entity
“Corporate Criminal Liability”: Individuals such as directors, employees, officers of the covered entity(organization) can be directly criminally liable under HIPAA.
Reporting
-Report privacy breaches to the Privacy Officer.
-If 500 or more individuals’ health records have been breached, it is a MUST to:
notify each individual whose health information has been breached,
report the breach to the Secretary of the Department of Health and Human Services (HHS),
as well as notifying the media.
-If less than 500 individuals’ health records have been breached, it is a MUST to:
notify each individual whose health information has been breached,
and report the breach to the Secretary of the Department of Health and Human Services (HHS).
.
Recommendations
Faxed documents containing protected health information shall be disposed securely upon receipt.
Faxed documents shall be routed securely to the appropriate recipient upon receipt.
When faxing documents containing PHI within the facility the sender shall alert the receiver of the transmission via phone and/or email.
PHI transmitted via email shall be de-identified or encrypted.
Avoid printing documents containing PHI from electronic systems, unless absolutely necessary.
Printed documents containing PHI shall be shredded immediately after use.
Documents containing PHI shall not be taken home under any circumstances.
Computers shall be locked when left unattended.
IDs and passwords shall not be saved or stored on computers, or sticky notes.
References
Comentarios