Securing Patient-Related Data:The Impact of HIPAA

Module VI

NUR 603

Russ McGuire

What is HIPAA

HIPAA – The Health Insurance Portability and Accountability Act of 1996Public Law 104-191

Requires the Department of Health and Human Services to develop standards for the maintenance and transmission of patient-related data that can be readily identified.

HIPAA Standards

Designed to:“improve the efficiency and effectiveness of the

healthcare system by standardizing the interchange of electronic data for specific administrative and financial transactions; and

protect the security and confidentiality of electronic health information”.

Impact on Healthcare Organizations Basic Point – All healthcare organizations MUST comply.

General failure to comply: $100 per violation. Maximum penalty: $25,000.00

Wrongful disclosure of Individually Identifiable Health Information:

Wrongful disclosure, under false pretenses, and/or intent to sell: $50,000 to $250,000 fine. Imprisonment 1 to 10 years.

Bottom line: serious implications for healthcare administrator and clinicians alike.

Impact on Healthcare Organizations The impact of securing patient-related data from a

resource (cost) perspective has not been calculated. Major operational and procedural changes need to be

considered by the organization. The implementation of HIPAA regulations will be time

consuming and costly to many healthcare organizations. Bottom line: Healthcare organizations MUST implement

and monitor the effectiveness of HIPAA regulations or risk substantial fines and possible imprisonment for data security breeches.

Specific Standards The healthcare consumer will have greater rights

when it comes to protecting their health information.

Healthcare providers are prohibited from using or disclosing health information except as authorized by the patient.This includes all personally identifiable health

information, irrespective of whether its in a manual or automated format.

Specific Standards Healthcare organizations must inform their patients or

beneficiaries (for health insurance) of their business practices concerning the use and disclosure of health information.

Specific regulations regarding consents change how healthcare organizations will obtain the consent of their patients.

Patient are granted the opportunity to request restrictions on the use and disclosure of their health information to include who and how their information is shared with other enities.

Specific Standards

Healthcare providers must create “privacy-conscious” business practices to include:Disclosure of the minimum amount of health

information. Internal protection of medical records.Employee privacy training/education.Mechanism for addressing patient complaints.Designation of a “privacy officer”.

Specific Standards

Data Security Standards are divided into four categories:Administrative proceduresPhysical safeguardsTechnical data security servicesTechnical security mechanisms