Module 1: State Attorneys General Enforcement of Federal Health Privacy Law

Verne Rinker
length: 42:31 | format: Video with PowerPoint
Related Content: Module 1 State Attorneys General Enforcement of Federal Health Privacy Law.pdf

Loading the player ...

So, module one, an overview. We wanted to talk about the authority that's contained HITECH of the American Recovery Reinvestment Act of 2009 that permits you to enforce the HIPAA privacy and security rules. We're going to go over an overview of the privacy and security rules and as Sue mentioned, talk about that terminology that you'll use throughout these two days. You'll have a much deeper dive into the privacy and security rules in later modules, but for now we want to skim the surface to set out some of the general boundaries lines of the field. We'll also discuss some strategies for identifying potential HIPAA violations and considerations involved in investigating potential violations. Note that throughout the term, or throughout the training, we'll use term HIPAA rules. This will refer to the collective suite of regulations, the Privacy Rule, the Security Rule, and the Enforcement Rule, as well as the HITECH breach notification requirements. If we specify otherwise, perhaps the enforcement rule itself, then we're talking narrowly about its regulation. This is where the alphabet soup starts, HIPAA: Health Insurance Portability and Accountability Act of 1996, ARRA: The American Recovery Reinvestment Act and HITECH: Health Information Technology for Economic and Clinical Health Act. Generally, it's easier to just do HIPAA, ARRA and HITECH and I'll refer to them as that. So after completing this module, we hope you'll be able to discuss your authority under HITECH. Many of you may be familiar with it, but we'd like to review it if you are not. Define the terminology and premise of the privacy rule. Explain the purpose of the security rule and identify potential HIPAA violations and your role in investigating those alleged violations. What does this mean? Well, as we go forward into module two and talk about the specific privacy rule standards or look more in depth about the changes provided in HITECH, we want to build your HIPAA quotient, a foundation from which to understand what comes next. The foundation includes introducing that new language. What's IIHI? Another acronym. Individual Identifiable Health Information. What's PHI? What's de-identified PHI? What's electronic PHI? As if there wasn't enough. Covered entities, covered functions, covered transactions. We're starting to see some rhythms here. What we'll also cover, an item I find particularly interesting, is how the Privacy Rule came about. And a short but critical look at HIPAA and how the privacy of health information in HHS got so intertwined. So, let's begin. The objectives for this first section are going to be to describe your authority for the enforcement of HIPAA, and to discuss the effect of the ARRA HITECH changes on HIPAA and it how applies to the business associates and the new breach notification requirements. We're going to talk about, so, in 2009, the American Recovery and Reinvestment Act, ARRA, was enacted. Title 13 of Division A and Title IV of Division B of ARRA are also known as the Health Information Technology for Economic and Clinical Health Act, or HITECH again. The act went into effect on February 17th, 2009. That's the date from which all the effective dates trigger. If it was one year out or two years out, that February 17th date is the time from which we're counting. Title 13 established the Office of the National Coordinator, or ONC. You may have heard about them. They're doing that push for the meaningful use in the electronic health records standards. Subtitle D of HITECH is what we're interested in though. That's what specifically addresses the health information privacy. So, in the Section 13.4.10 of Subtitle D, that's where the State Attorney Generals come into play. It provides the authority for State Attorney Generals to bring civil action for harm to individuals from alleged violations of HIPAA privacy and security protections. ARRA HITECH also established federal breach notification requirements and extended liability under the HIPAA rules to business associates of covered entities. There's that covered entity term. And we'll touch on that a little bit later. Business associates another key thing to pay attention to. But we'll touch on that as well. In any case, so the state Attorney General authority is in any case in which the Attorney General of a state has reason to believe that an interest of one or more of the residents of that state has been or is threatened or is adversely affected by any person who violates a provision of that part, then the Attorney General of that state, in parents patriate, may bring a civil action on behalf of such residents of the state in a District Court of the United States of appropriate jurisdiction. And what do you get? You've got the potential to receive damages, to achieve an injunction, and also recover cost of the action and reasonable attorneys' fees in successful actions. So, let's do a little bit more of a skim over HIPAA. What do we mean when we're talking about HIPPA? We're going to describe the statute and its regulations, we're going to explain the purpose and function of the privacy rule, and discuss the purpose and function of the security rule. So let's talk about the who, what, whys of HIPAA. The lesson we're going to talk about what is HIPPA? What it includes? What it does not include? Who is regulated and who is not. Governed entities. What is HIPAA protecting and what is it not protecting. So we all place a high premium on protecting the privacy and security of our personal health information. And we know that the consequences of failing to protect that health information can be severe, particularly for folks that have particularly sensitive health information, as well as anybody and generally the respect of the relationship between their provider and themselves. Congress was concerned about this health information privacy when it passed, HIPAA. But in the end it relegated privacy to a footnote because lawmakers were unable to agree on the details of any privacy protections. So, our next slide is going to outline the major components of the statute and highlight what are called the administrative simplification provisions which include privacy protections for individuals' personal health information. This is HIPPA. You may not have thought it was this, but this in fact is. HIPAA consists of five titles. Title I addresses healthcare access, portability and renewability and it was enacted to protect the health insurance of workers that lose their jobs. We're going to focus on Title II Subtitle F in particular. Title II was preventing healthcare fraud/abuse, administrative simplification and medical liability reform. But the little box at the bottom that talks about administrative simplification, that's where what the layperson that hears about HIPAA thinks of. But not exactly. Subtitle F of Title II of HIPAA is the administrative simplification portion. It encourages efficiencies and effectiveness in the healthcare system through the requirement that HHS adopts standards for electronic transmission of certain health information. So when HIPAA was passed, there were significant administrative inefficiencies in the provider and insurer interactions. A single provider might have a different number for each insurer he or she submits to a claim. And each insurer likely had its own form for different items and different methods for identifying the insured individual. So often, and often these may have included that individual's Social Security Number displayed right on their insurance identification card. Administrative simplification intended to establish a single uniform standards for the contents of general transactions that occur between providers and insurers. And we'll see what some of these transactions look like later. Now for privacy, notice the title of Section 240 264 of Subtitle F, “Recommendations With Respect To The Privacy of Certain Health Information”. The intent of this section was for the Secretary of HHS to provide recommendations to Congress for legislation to protect the privacy of health information. It said of Congress did not pass legislation within three years, then Section 264 required the Secretary to promulgate final regulations with respect to the privacy of Individually Identifiable Health Information, or IIHI, that addressed the rights of an individual who was a subject of that IIHI, and the procedures that should be established for the exercise of such rights. Also required the Secretary to address uses and disclosures of such information and whether authorization should be required or not. The security rule has a much more prescriptive direction by Congress earlier in the HIPAA statute. So what do we have going on here? Congress didn't really say this is the privacy protection we want. Congress said, “HHS, give us recommendations”, and from there they didn't enact a law. So, this really is a statutory basis for doing the HIPAA privacy rule. This is an interesting legislative item. Administrative simplification. HHS promulgated five regulations under this: Transactions and Code Sets Rule, A Unique Identifiers Rule, that's the national provider identifier if you've heard of that. Then the HIPAA Privacy Rule, The HIPPA Security Rule and the HIPAA Enforcement Rule. So we are already taking on a significant portion of at least the rulemaking out there. So this transactions and code set is that whole purpose of the administrative simplification. The Unique Identifiers Rule provides the enumerations used in those standard transactions. We'll not be discussing these, but what we will be doing is doing a much deeper dive into the protection of the health information that sits in the background of those transactions. So, what are some standard transactions? Transactions are exchanges of information between two parties for a specific purpose. For example, a healthcare provider will send a claim to a health plan to request payment for medical services. Through the HIPAA Transaction and Code Sets Rule, the Secretary of HHS adopted standard transactions for the electronic exchange of health information for certain purposes. Again, how does this relate to us? Well, exchange means disclosure of health information. This information is going to identify the patient, or the patient's insurer, or their insurance number, information about the service that was obtained, maybe even medical tests or prescriptions. Prior to 1996, and really the effective dates for the HIPAA Rules, this all happened in a healthcare services and insurance marketplace. But the privacy of that information generally was not subject to a single minimum standard. And that's our job coming out of HIPPA, that federal floor. So adopting these standards supported the administrative simplification goal of implementing efficiencies. We have been talking about what HIPAA is, let's do a little bit deeper dive into what the HIPAA Rules are. The following definitions are going to be integral into your understanding of the Privacy Rule and Security Rule. A couple of concepts. Covered entities. Covered entities means a health plan, a healthcare clearinghouse, or healthcare provider who transmits any health information in electronic form in connection with a covered transaction, covered transaction meaning those standard transactions. Remember a transaction is one for which the Secretary has adopted those standards. Why only this subset of healthcare providers? That electronic billing requirement only applies to the provider. So why only the provider there? Healthcare provider is a covered entity. The primary focus of Congress was the use of the electronic transactions. The provider has an option about using those electronic transactions, so it's the use of that electronic transaction that pulls the provider into covered entity status. If they operate purely on a paper basis or if they don't bill an insurer, then they're not a HIPAA covered entity. That's only again for providers. So once a provider engages in one of these transactions with a health plan, they're a covered entity. As a HIPAA covered entity, it then must protect the information and provide rights of to that information by its patients. These requirements apply whether the patient is a health plan beneficiary or pays out of pocket with one exception for HITECH, which you'll hear about later. So, examples. Making certain inquiries about a benefit plan for an enrollee, an eligibility for a health plan transaction, for example. Or requesting authorization for providing healthcare for referring an individual to another healthcare provider. These are all examples of what might happen among these covered entities. Now what do we mean when we say health plans? All health plans are going to be covered entities so long as they meet…they're within that..this definition. They include health insurance companies, health maintenance organizations, employer-sponsored health plans, government programs that pay for healthcare, such as Medicare and Medicaid, and the military and veterans health programs. Special rules apply to the employer-sponsored group health plans; sharing information with the health plan sponsor, which is the employer. These and other categories are spelled out in the statute and the HIPAA Rules add some clarifications, including, for example, that state comprehensive insurance plans are covered entities. Clearinghouses. Not a term that really gets you into the depths of the health insurance market, but something that we need to know that's out there and on our radar screen to pay attention that if their activities impact, for example, your residence, that it may be an entity you want to talk with. Healthcare clearinghouses are entities that process or facilitate the processing of health information from non-standard formats or content into standard formats or content, or vice versa. They always..they're usually always conducting these functions on behalf of another entity, such as a health plan, so that they act as a business associate of covered entities. A clearinghouse may take the data received through a standard transaction and convert it to populate a health plan's internal claims management system. So they may have the standard transaction they're sending between providers or between a health plan and provider, but their internal system may not match up and sync, so they need somebody to take their internal data, turn it into the standard format, send it to the clearinghouse, it creates a standard format, ships it off and then it is received on the other side and then pulled apart for the other entities' system. Those are the entities. That's what makes you subject to HIPAA. If you're a covered entity, the plan, the clearinghouse, the provider that bills electronically using the standard transactions. So what's the information we're trying to protect? Well, there's a little bit of a road here that we have to get to. As the slide displays, we have health information and we have individually identifiable health information. Health information can be the..any number of things. It becomes critical once we say this is Mr. Jones's cancer diagnosis. Knowledge that a certain prescription drug impacts a certain cancer is important health information. But once you say it's Mr. Jones's prescription, that's when we've crossed a barrier into individually identifiable health information. So, IIHI, is defined by the statute as well as the rule, as any health information, including demographic information collected from an individual that is created or received by a health care provider, a health plan, an employer or a healthcare clearinghouse. This is where things start to get a little tricky. Notice before that we said covered entities are required to comply with the HIPAA Privacy Rules, but we've just defined IIHI as being created or received by a healthcare provider without regard to whether that provider engages in the standard transactions. It's an important ball to keep your eye on with these foundational building blocks. IIHI is that health information collected by these entities and relates to past, present or future physical or mental health or condition of an individual and with the revision of healthcare to an individual or the past, present or future payment for provision of healthcare to an individual. Notice all of those have the individual now tagged in. So, information is IIHI if it is health information either directly identifies the individual or if there is a reasonable basis to believe it can be used to identify the individual. A patient's name, contact information and account numbers are generally considered individual identifiers and if created or received by a covered entity would be IIHI. So let's take an example of a phonebook. Is that IIHI? It gets dropped off at the provider's doorstep. Let's say that that provider..well, it doesn't's a covered entity…let's go ahead and stipulate that. The phonebook isn't. It has contact information, sure, but it's not being provided by the individual, it's by the phone company. On the other side, patient walks in the door and has their name put on a roster of patients to see Dr. Smith, that is IIHI. So there's a difference here. Now we get to the heart of HIPAA, protected health information. You see we started with health information, we went to IIHI, now we've got a little bit further refinement to PHI. Protected Health Information is individually identifiable health information transmitted or maintained by a covered entity in any form or medium with a few exceptions. IIHI held by a non-covered entity or non-business associate of a covered entity is not PHI. So this is kind of the boundary line between IIHI and PHI, between being in the HIPAA rules and being outside. In some circumstances, information that may otherwise be PHI, is not PHI because, well, frankly, the rule says so. IIHI held by a covered entity may or may not be PHI depending upon who holds it and how that information is handled. So, IIHI held within an educational record, such as a school health clinic, usually protected under the Family Educational Rights and Protection Act, or often referred to as FERPA. It's not considered PHI under the HIPAA regulations. Similarly, IIHI held by the human resources department of a covered entity as part of its employment records, is not PHI, protected under the HIPAA regulations. Why would we choose not to protect some of this information? It's health information. It may even be held by somebody that has some covered functions. Well, circumstances like FERPA, or the employment records, it has protections. So you need to look critically at who's holding it; why they received it. The nurse that has a back problem and can no longer lift a certain amount of weight and needs to be moved, provides that to her employer as means of moving her from one ward to another. That's part of her employment record, that's not part of her medical record, so there's no reason for HIPAA to reach out and protect that, so we make a distinction. So, examples of PHI. Medical records of patients that visit a doctor's office are often PHI if the provider is a covered entity. Some of the examples on the slide: billing records, other records that the provider may maintain. Note that a record is protected if maintained or transmitted in any format; electronic, paper, oral. If it's transmitted or maintained, it's covered. Recall, that we started with the electronic transactions and IIHI that is electronic, but the privacy rule hooks in all PHI. For the provider, doing that electronic transaction gets them in the door, but suddenly all of their PHI, even if its paper, becomes protected. So, a question, you go to the doctor, you're charged a co-pay, you write a check, and the doctor's office sends that check to his or her bank for deposit, is that PHI? Yes, or no? Response from audience: I would say…Oh, my initial my initial thought was no because it only contains the name. It doesn't contain any social security number, doesn't contain any diagnoses, but it does have the doctor's name, so that now I'm thinking, yes, it is. It's kind of a trick question. In the patient's hands, it's not. They're not a covered entity. When he hands it over to the doctor, yeah. It's got their account number. Bank account number. It says Dr. Smith. Dr. Smith is holding it. When he hands it to the bank, it no longer is PHI. The bank isn't operating as a business associate. We'll touch on that later. And the bank isn't a covered entity. He does the, as you'll learn later on, it is a permitted disclosure to give that information to the bank for billing purposes, for payment purposes, but, so the privacy rules is checked off there. But it wasn't PHI, became PHI and then suddenly is no longer PHI. Electronic Protected Health Information. If it wasn't bad enough to just have PHI. EPHI, as we call it, is created, received, maintained or transmitted in electronic format by a covered entity. Pretty simple and straightforward. EPHI is the focus of the Security Rule. When you hear EPHI, it's not excepted from the Privacy Rule, but the Security Rule exclusively deals with EPHI. And David will get more into that more later. So we've heard this term business associates. What are they? They're a group of entities affected by the HIPAA Rules. In simple terms, business associates are individuals or organizations that receive PHI from a covered entity for the purpose of performing a function or activity on behalf of or for the covered entity. Covered entities must enter into an agreement with all business associates to limit their user disclosure of PHI. Exceptions apply to certain uses and disclosures, such as disclosures by a covered entity to a healthcare provider for treatment purposes. Among other required elements, business associate agreements must ensure that the business associates use and disclose information only as allowed and make clear that they cannot use or disclose PHI in any way that the covered entity cannot. Remember the BA is acting on behalf, doing something for the covered entity. So since ARRA, business associates are now directly subject to many of the Privacy and Security Rule provisions. ARRA gave both OCR and you, the State Attorneys General, authority to enforce the rules against business associates directly. This is a significant change. Prior to HITECH, business associates were subject through the business associate agreement and could raise liability for the covered entity, but we could not penalize business associates directly. Now, we can. I would even hazard a guess, but think about a hospital and we'll go over this a little bit later. They're going to have a lot of business associates. So our field of enforcement just became much broader. Not that we weren't paying attention to what business associates did before, but the direct ability to impose penalties means that reach became a little more concrete. So the HITECH final rule will provide compliance dates and additional information about these business associates requirements, since it's something new in HITECH. We're of course making the rulemaking. And we should, you'll look forward to that. We can provide any updates that we have for now, but we're still waiting to publish the final rule. So that's probably the furthest we're going to get. So what do business associates do? Remember individuals or organizations acting on behalf of, or for the covered entity. So they might provide legal services, accounting services, billing services. Do they have to provide legal services? No. If a hospital wants to have all of its attorneys in house, they're perfectly fine to. But if they seek outside counsel and they need to be using PHI, then we're starting to talk about business associates. You'll hear the term later flexible and scalable. It's one of the areas that where we recognize that this is part of the business marketplace for providers, for health insurers and the rule fits where how they operate. Not every entity that a covered entity does business with is a business associate though. For example, a member of the covered entities workforce, volunteers, employees, janitorial staff, hospital nurses, medical review staff, or you could have folks that we call mere conduits of PHI, such as the U.S. Postal Service or a messenger service. They're not business associates. When a hospital mails medical records to a medical licensing board, they don't have to sign a business associate agreement with the U.S. Post Office. We don't generally expect the Post Office to be looking at that PHI or using it or doing something with it. They receive a sealed envelope, they're supposed to deliver a sealed envelope. And they have a very short, tenuous hold on that information. So we recognize them as conduits for simplicity allow that to not require the business associate agreement. Note that a covered entity can be a business associate of another covered entity. So, for example, a hospital may enlist the services of another healthcare provider to assist in the hospital's training of medical students. In this case, a business associate contract would be required before the hospital could allow that healthcare provider access to patient health information. Also, keep in mind, that even if a covered entity does not have a business associate agreement with another entity, the second entity is a business associate under HIPAA, if it fits the definition cited in the prior slide. So in other words, a covered entity is subject to the HIPAA business associate requirements regardless of whether that business associate agreement is in place. So, the Privacy Rule Title II Section 264 of HIPAA, we received over fifty-thousand comments when this started. So commend to you the citations here and several changes that have happened with the Privacy Rule. Fortunately, we have a complied version, which I think is in the back of your index, so you don't have to go make your own. Privacy Rule Part 160 of 45 addresses the administrative requirements that not only apply to the Privacy Rule, but also to the Security Rule. And 160 contains the Enforcement Rule and you'll get more specifics on this later. Part 164 45 is titled Security and Privacy and Subpart A contains general definitions applicable to both the Security and Privacy Rules. Subpart E of Title 45 establishes standards for handling, use, disclosure of individual's health information by persons subject to the Privacy Rule. This is pretty much it. This is the Privacy Rule. This is where it says you may use and disclose and everything else you must do with that PHI. Also includes the individual's rights with regard to their PHI. You may hear us use the term permission or standard. They're generally interchangeable. The key distinction to take away is that the Privacy Rule regulates uses and disclosures as separate and distinct activities where PHI is employed. We'll go over this more in depth later, but it's a fundamental premise to understand between a covered entity and its handling of its PHI. And recall that the covered entities' obligations run to all of its PHI, not just the electronic PHI, not just what's…what it's using for the standard transactions. Section 11 73 of the HIPAA Statute requires the Secretary to adopt security standards. This is the genesis of what we call the Security Rule. Ensures that standards…covered entities must maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of IIHI. It protects against any reasonably anticipated threats or hazards to the security or integrity of the information. Compliance generally required since 2005. Again, the Security Rule Citation Part 160 Subpart C And Subpart C of 164 and Volume 45. And David will give you a much larger, in-depth look at this. So recap, we've talked about Title I of HIPAA protecting health insurers, the workers' insurance. And Title II is having this thing called administrative simplification that was really focused on administrative efficiencies in the healthcare system and had this kind of footnote about…about privacy, from which we get the Privacy Rule. The Privacy Rule establishes standards or requirements for covered entities with regards to protection of individuals' health information and establishes their rights with … establishes security safeguards covered by covered entities. They're required to have in place to protect electronic health information from unauthorized access or disclosure. So, a couple more things, how do we identify potential violations? I wanna kind of talk to you about this. How you might identify these. What constitutes a violation of the HIPAA Rules and recognize whether or not cases under the state AG investigation may also raise HIPAA Rules. So how might you come across a HIPAA violation? You may learn of HIPAA violations in a number of ways. One of the most common is to hear about a local news media event, where an individual's information is inappropriately accessed, exposed or lost. For example, in 2008, the electronic medical records of several celebrities seeking services at UCLA Medical Center were inappropriately accessed, and in some cases, publicly disclosed. The event was widely reported in the media, so this is one example that you could seek to enforce your authority. In some cases, affected individuals may contact you directly to report an incident. Or employees or other insiders may learn of suspected violations and choose to report it directly. In other cases, individuals may try to report these incidents to other state organizations, such as licensing or professional ethics organizations. So, an inappropriate use or disclosure of PHI by a covered entity is not the only possible fact pattern indicating a HIPAA violation, but some of these are usually the most detectable, a strong indication that further HIPAA privacy or security violations may be present as well. The Office for Civil Rights and you have authority to conduct either an incident-specific investigation, or limited or comprehensive review of the entity's compliance. So if there's a complaint, we can go in and look at that. But, if there's something that we think was just going wrong, news reports of significant security lapses, we might go in and say, “Hey, we want to make sure everything operating appropriately.” Recall the adage that inaction is action. The Privacy Rule addresses limits on the use and disclosure of PHI, but also addresses activities where disclosure is required, or actions to protect PHI, such as training of staff. Training of staff is not something that readily comes out as an individual's disclosure of information…it's not. What it is is..a a requirement under the privacy rules…administrative requirements and it's something that when you're talking with an entity, you want to ask a couple of questions. Are you doing training? Do you have policies and procedures? Some of these actions that aren't readily seen, but they definitely impact whether disclosures happen. So, events and conditions that constitute HIPAA violations. If a violation is suspected or detected, an investigator will want to determine what provision or provisions of the rule were violated. If you're thinking about potential violations, keep in mind that the HIPAA Rules require documentation, so that you can look into whether entities have policies and procedures, whether they are in compliance with the rules and whether those rules are being followed. Also, consider whether there are related standards that have been violated. Again, what's buried here? We're talking about covered entities. Recall that. If it's not a covered entity, they're not subject to the HIPAA Rules. So there's no training required. Make sure you're talking to covered entities first. Determining whether or not other existing investigations that you may have ongoing have HIPAA implications. You may already have curtain investigations of existing covered entities and these cases you may be pursuing a healthcare fraud case, a labor or other adherence to state laws involving healthcare access and licensure. And in the course of investigating these cases, it may come to light that these organizations are also not providing adequate privacy or security for patients' PHI. And this information is revealed through an investigation, we encourage you to look at it through the HIPAA lens. So let's recap a little bit. Local news stories, complaints by residents, even a neighbor can complain about possible violation. It's not a guarantee, but it's also an opportunity to look into a case. Breeches that are now being reported, and being reported in some cases in local media, also are a situation that may involve a violation of HIPPA. It may involve a violation of some breakdown in the policy structure, or training or operations. It's not a guarantee that it's a violation, but it may very well be. So, investigating potential violations just touched briefly on some of the things that we do. I want you to be able to recognize when multiple violations of HIPAA result from a single incident and also consider the inter-relationship of violations of the Privacy and Security Rules. You'll have a deeper dive into this in the next two modules, but you'll begin to see how these inter-relate. So during the investigation of an incident, you might discover that there have been multiple violations of various provisions of the Privacy Rule. The patient's not given the right to access their PHI to check for errors and that patient, because they're not given that access, can't amend, can't exercise their right to amend their PHI to correct these suspected errors. So these would be violations of both the right to amend, as well as the right to access. The Privacy Rule has a number of standards that build on one another or inter-relate, so it's important to be aware of when those occur. What about Security Rule versus Privacy Rule? Recall the Security Rule only deals with electronic PHI but the Privacy Rule does also deal with electronic PHI. So a single incident may demonstrate that a covered entity or its business associate is in violation of both rules. If the safeguards required under the Security Rule are not properly implemented, this vulnerability may be exploited, leading to a violation of the Privacy Rule, leading to that impermissible or inappropriate disclosure or access. If an employee who had no legitimate business need to access an electronic record did so and then impermissibly disclosed that PHI, the incident would involve violations plural access and disclosure of the Privacy Rule, as well as the Security Rule issue. So a quick recap, talk about ARRA HITECH gives the authority for you to pursue HIPAA claims. ARRA HITECH established some breach notification requirements, and those you may find hitting your local newsstands, as well as our website. And many of these standards are captured in the Privacy and Security Rules, so that these entities must follow the safeguards that they have in place to protect their patients protected health information. You may learn of violations through the news reports that we talked about, through breaches that are reported. And hopefully now, you feel more confident about discussing your authority under HITECH, some of the terminology, because you're getting ready to use it real quick with Iliana. And, explain the purposes of the Security Rule and identify potential violations.
(To use allow video to load completely)
  • Module 1: Introduction, Objectives and Overview
  • Lesson 1: ARRA/HITECH Impact on State Attorneys General
  • Lesson 2: HIPAA Overview
  • Lesson 2: Recap
  • Lesson 3: Identifying Potential HIPAA Violations
  • Lesson 3: Recap
  • Lesson 4: Investigating Potential HIPAA Violations
  • Module 1: Recap

Tell a friend: