Module 10│HIPAA

Module #10 is designed to provide the nuts and bolts of the Health Insurance Portability and Accountability Act (HIPAA) particularly as it relates to patient privacy.

Read carefully because at the end of this module is a quiz. There are 10 questions in total and 5 minutes to complete.  7 questions (70%) must be answered correctly. You have 8 chances to pass this module.


In-Service Exams provided by Essential In-Services for Home Health, 2021

Upon completion, you should be able to:

Understand the components of the HIPAA legislation.

Understand who is affected by the privacy and confidentiality requirements.

Understand what is meant by protected health information (PHI) and individually identifiable health information (IIHI).

Understand who is affected by the privacy and confidentiality requirements.

Recognize the processes that must be used to assure patient information is kept confidential and secure.

HIPAA History and Overview

Congress passed HIPAA to require the security, confidentiality, and privacy of every person’s health information.

Privacy is about who should and should not have access to health information. Patients have the right to privacy, meaning that information about them should be available only to people who need it to provide care.

Confidentiality is about preventing someone from hearing or seeing a person’s private health records and information unless they have the proper authorization. All health information is confidential. Anyone who has access to this information (PHI) is responsible for protecting it.

Security is the means used to provide privacy and confidentiality. The purpose of security is to ensure that only those persons having authorization may access PHI.

Frontline staff should remember the general HIPAA rule of thumb: the right information, to the right person, for the right reasons.

The American Recovery and Reinvestment Act of 2009 & HITECH

On Feb. 17, 2009, the American Recovery and Reinvestment Act of 2009 became a federal law.

A subset of that law, called the HITECH Act, enhances and expands the HIPAA Privacy and Security Rules and adds requirements for breach notification. The HITECH Act not only makes privacy regulations stricter, but it gives more power to federal and state authorities to enforce privacy and security protections for patient data, and it raises the fines for noncompliance.

The 2013 Omnibus Privacy, Security, Enforcement and Breach Notification Rule (Omnibus Rule) implements many of the HITECH Act provisions for PHI protection.

Why Do We Need HIPAA?
More and more health information is in the form of electronic data, either instead of or in addition to paper files.

We must protect the data in any form. Federal laws make every state and every provider follow the same rules for privacy, confidentiality, and security.

Who Has to Follow the HIPAA Rules?

The following public and private organizations must follow the HIPAA rules:

  • Health plans and health insurance companies such as health maintenance organizations (HMO) and preferred provider organizations (PPO)
  • Health care clearinghouses such as billing services
  • Health care providers such as doctors, dentists, chiropractors, therapists, hospitals, nursing facilities, clinics, pharmacies, home health agencies, hospices, and long-term care or personal care facilities of any type or size.

The HIPAA rules call these organizations covered entities.

Information Protected Under HIPAA

The privacy protections of HIPAA apply to PHI. PHI is information:

  • Created or received by a covered entity or an employer that relates to a person’s past, present or future health condition, health treatment or payment for healthcare services.
  • That could identify an individual, such as name, address, telephone number, date of birth, diagnosis, medical record number, Social Security number, employer, position, or other identifying data

PHI can be in any format: paper, electronic or oral. The most common example of PHI is the patient record.

Protecting Patient Records

If a provider wants to disclose a person’s PHI for purposes of providing care, the provider needs that person’s consent. These purposes include routine health care uses of the information, such as when a doctor consults with another doctor in order to provide better care for an individual.

If a covered entity wants to disclose a person’s PHI for purposes other than providing care, the covered entity needs that person’s specific authorization.

Only authorized personnel should enter confidential medical information into a computer-based patient record. Computer systems should be password protected to help guard against unauthorized access and use.

What is the difference between consent and authorization?

To give consent, a patient must sign a consent form. The patient needs to sign the consent only one time for each provider. The consent will apply whenever that provider discloses the person’s PHI for purposes of providing health care.

Specific authorization is required when a covered entity wants to use or disclose a person’s PHI for purposes not related to providing health care. The person must sign an authorization form for each specific instance.

May a person see his or her personal PHI and make changes?
A covered entity must allow a person to view and photocopy his or her PHI if the person submits a request. The organization may charge for copies of these records.

In a few special circumstances, such as when a covered entity has compiled information for use in a civil, criminal, or administrative proceeding, that entity does not have to give a person access to his or her PHI.

A covered entity may deny a person access to his or her PHI if they have reason to believe that access would create a risk of danger to that person’s health.

If a person believes that his or her PHI contains information that is incorrect, the person may ask the covered entity to make changes. The covered entity may deny the request if they believe the current information is accurate and complete, or if the entity did not create the information.

Exceptions to the HIPAA Privacy Rule
The HIPAA Privacy Rule permits covered entities to disclose health care information without a person’s specific authorization in certain situations, depending upon state or local law, such as:

  • Emergencies
  • Public health needs (such as infectious disease registries)
  • Mandatory reporting of child or elder abuse and neglect
  • Judicial and administrative proceedings
  • When there are substantial communication barriers.

 If there is no state or local law specifically requiring disclosure of information in the instances listed above, covered entities are required to use “professional judgment” in deciding whether to disclose information and how much to disclose.

Protection of Patient Privacy and Confidentiality
Quality patient care requires communication between care workers. Computers, the internet, emails, and faxes make it easier to share patient records. However, this information is often readily available to anyone who walks by a fax machine or logs on to a computer. Some people fear that the exposure of their PHI could result in job discrimination, personal embarrassment, or the loss or denial of health insurance.

Important HIPAA Considerations

  • Confidentiality of information, whether in written, electronic or verbal form, is a priority.
  • Confidentiality should extend to all health information.
  • Handle all patient records as confidential at all times. Do not leave them open where unauthorized persons can see them.
  • Learn the safeguards your organization requires for the use, disclosure, and storage of PHI. Know your organization’s privacy policies and procedures.
  • Individuals have the right to decide and to know who may have access to their health information and under what circumstances they may have it.
  • Discuss patient information in a private place so others cannot overhear the conversation.
  • A cover sheet marked “Confidential” should accompany all faxed information.
  • When emailing information about a patient, remove any detailed identifying information. For example, refer to the patient by initials or by the internal patient number instead of by the patient’s full name.
  • Only authorized personnel should enter confidential medical information into a computer-based patient record. Computer systems should be password protected to help guard against unauthorized access and use.
  • Use only objective, precise language when documenting the patient record. Avoid casual remarks and abbreviations that might be misunderstood.
  • Always take the utmost care to protect the privacy and confidentiality of all health information. Be aware of who is around you while you are working and do not allow unauthorized people to hear or see PHI.
  • Think about how you would want your PHI treated. Give your patients that much protection and more.
  • Always obtain permission from patients before sharing PHI with their family or friends.
  • Do not share information you learned while performing your job with the patient’s family or friends.

Mobile and Online Considerations
Properly managing your electronic passwords, preventing the spread of viruses, logging off your computer, protecting your tablet and smartphone (if used for care), and being aware of and responsible for any patient information taken or accessed off-site are important ways you can contribute to information security. Know and understand your agency’s policy about which devices can be used for work and in what manner.

Remember that HIPAA applies to all communication. This includes any and all types of social media: Facebook (Meta), Twitter, Linkedln, Instagram, etc., are no places to share any kind of patient information. This includes text and pictures.

Before quickly sharing information that you might think is innocent on your smartphone at lunch, realize that if you are in any way identifying a patient’s health information, you could find yourself in serious trouble.

Covered entities are required to have a sanctions policy covering employees and other workforce members who violate HIPAA privacy and security regulations. Violating HIPAA’s Privacy, Security or Breach Notification Rules can result in civil or criminal penalties for an individual or group of individuals, and your agency will also encounter severe consequences.