HIPAA Health Insurance Portability and Accountability Act of 1996 Adam Cushner

HIPAAHIPAA

Health Insurance Portability Health Insurance Portability and Accountability Act of and Accountability Act of 19961996

Adam CushnerAdam Cushner

OutlineOutline

Overview of HIPAAOverview of HIPAA Specifics of HIPAASpecifics of HIPAA Suggestions for implementationSuggestions for implementation EffectsEffects ProblemsProblems QuestionsQuestions

An ActAn Act

To amend the Internal Revenue Code of 1986 To amend the Internal Revenue Code of 1986 to improve portability and continuity of to improve portability and continuity of health insurance coverage in the group and health insurance coverage in the group and individual markets, to combat waste, fraud, individual markets, to combat waste, fraud, and abuse in health insurance and health and abuse in health insurance and health care delivery, to promote the use of medical care delivery, to promote the use of medical savings accounts, to improve access to long-savings accounts, to improve access to long-term care services and coverage, to simplify term care services and coverage, to simplify the administration of health insurance, and the administration of health insurance, and for other purposes.for other purposes.

Signed by President Bill Clinton on July Signed by President Bill Clinton on July 21, 199621, 1996

Named because it was originally about, Named because it was originally about, well, the portability of health insurance. well, the portability of health insurance. Focus, however, is on privacy of medical Focus, however, is on privacy of medical recordsrecords

Passed partly because of the failure of Passed partly because of the failure of congress to pass comprehensive health congress to pass comprehensive health insurance legislation earlier in the decadeinsurance legislation earlier in the decade

General ObjectivesGeneral Objectives

Increase number of employees who Increase number of employees who have health insurancehave health insurance

Reduce health care fraud and abuseReduce health care fraud and abuse Introduce/implement administrative Introduce/implement administrative

simplifications in order to augment simplifications in order to augment effectiveness of health care in the USeffectiveness of health care in the US

Protect the health information of Protect the health information of individuals against access without individuals against access without consent or authorizationconsent or authorization

Even More General Even More General ObjectivesObjectives Give patients more rights over their Give patients more rights over their

private dataprivate data Set better boundaries for the use of Set better boundaries for the use of

medical informationmedical information Hold people accountable for misuseHold people accountable for misuse Encourage administrative Encourage administrative

simplification (in the form of simplification (in the form of digitalization of information) to help digitalization of information) to help reduce costsreduce costs

General Objectives for General Objectives for InformationInformation Ensure privacy and security of Ensure privacy and security of

health information by designating health information by designating Protected Health Information (PHI)Protected Health Information (PHI)– PHI, for example, must be treated in the PHI, for example, must be treated in the

same way in which you would treat same way in which you would treat someone’s tissue (with regard to someone’s tissue (with regard to Privacy)Privacy)

Set standard for data using Set standard for data using Electronic Data Interchange (EDI)Electronic Data Interchange (EDI)

Dynamically HIPAADynamically HIPAA

HIPAA’s goals, in a sense, are HIPAA’s goals, in a sense, are aimed to hit a moving target:aimed to hit a moving target:– Technologies to help implement Technologies to help implement

HIPAA are constantly changingHIPAA are constantly changing– Attitudes towards privacy are Attitudes towards privacy are

changingchanging– Also, not much empirical evidence to Also, not much empirical evidence to

show if HIPAA is doing what it set out show if HIPAA is doing what it set out to do (e.g. reduce costs)to do (e.g. reduce costs)

OutlineOutline

Overview of HIPAAOverview of HIPAA Specifics of HIPAASpecifics of HIPAA Suggestions for implementationSuggestions for implementation EffectsEffects ProblemsProblems QuestionsQuestions

What HIPAAWhat HIPAA Directly Directly AffectsAffects Covered EntitiesCovered Entities

– Health plansHealth plans– Health care clearinghousesHealth care clearinghouses– Health care providers who transmit health Health care providers who transmit health

information in electronic form for certain information in electronic form for certain standardstandard

Pending ideas:Pending ideas:– National Provider IDsNational Provider IDs– National Employer IDsNational Employer IDs– National Health Care IDsNational Health Care IDs– National Individual IDsNational Individual IDs

Security RegulationsSecurity Regulations

Contingency PlanContingency Plan Access ControlAccess Control Audit ControlAudit Control Person or Entity AuthenticationPerson or Entity Authentication

Contingency PlanContingency Plan

(A) Data backup plan. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan. Establish (and implement as needed) procedures to restore any loss of data.

(C) Emergency mode operation plan. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

Access ControlAccess Control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in [164.308(a)(4)].

Difficulties in implementation.Difficulties in implementation.– Too much or too little access. Too much or too little access.

Audit ControlAudit Control

Allow reviews of usage statistics Allow reviews of usage statistics to check for potential misuseto check for potential misuse

Person or Entity Person or Entity AuthenticationAuthentication Procedures to identify users Procedures to identify users

seeking informationseeking information

Security Regulations Security Regulations Wrap-upWrap-up Essentially, use rules that any good Essentially, use rules that any good

company would use to protect its datacompany would use to protect its data– Difficult in health care profession because Difficult in health care profession because

so many people need access to patients’ so many people need access to patients’ informationinformation

The rules and ideas for data protection The rules and ideas for data protection are also mandated on the human side are also mandated on the human side of thingsof things– E.g. Training of employees, physical E.g. Training of employees, physical

protection of data storage facilities.protection of data storage facilities.

Privacy RulePrivacy Rule

Different types of protected data: Different types of protected data: – Protected Health Information (PHI)Protected Health Information (PHI)

Previously definedPreviously defined

– Individually Identifiable Health Individually Identifiable Health Information (IIHI)Information (IIHI)

– De-identified Health InformationDe-identified Health Information– Limited Data SetsLimited Data Sets

Privacy Rule (cont)Privacy Rule (cont)

IIHI IIHI – includes any subset of health includes any subset of health

information, including demographic information, including demographic information collected from an information collected from an individual, that:individual, that:

– Identifies the individual (or there is a Identifies the individual (or there is a reasonable basis to believe that the reasonable basis to believe that the information can be used to identify information can be used to identify the individual.)the individual.)


De-identified Health Information:De-identified Health Information:– Health information is considered de-Health information is considered de-

identified when it does not identify an identified when it does not identify an individual and the covered entity has no individual and the covered entity has no reasonable basis to believe that the reasonable basis to believe that the information can be used to identify an information can be used to identify an individual. Information is considered de-individual. Information is considered de-identified if 17 identifiers are removed from identified if 17 identifiers are removed from the health information and if the remaining the health information and if the remaining health information could not be used alone, health information could not be used alone, or in combination, to identify a subject of or in combination, to identify a subject of the information. Identifiers include:the information. Identifiers include:


(1)(1) names, names, (2)(2) geographic subdivisions smaller than a state, geographic subdivisions smaller than a state,

including street address, city, county, precinct, zip including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial code and equivalent geocodes, except for the initial three digits of a zip code to 000, three digits of a zip code to 000,

(3)(3) all elements of dates (except year) for dates directly all elements of dates (except year) for dates directly related to an individual, including birth date, related to an individual, including birth date, admission date, discharge date, date of death, and all admission date, discharge date, date of death, and all ages over 89, ages over 89,

(4)(4) telephone numbers, telephone numbers, (5)(5) fax numbers, fax numbers, (6)(6) electronic mail addresses, electronic mail addresses, (7)(7) Social Security numbers, Social Security numbers,


(8)(8) medical record numbers, medical record numbers, (9)(9) health plan beneficiary numbers,health plan beneficiary numbers,(10)(10) account numbers, account numbers, (11)(11) certificate/license numbers, certificate/license numbers, (12)(12) vehicle identifiers and serial numbers, including vehicle identifiers and serial numbers, including

license plate numbers, license plate numbers, (13)(13) device identifiers and serial numbers, (14) Web device identifiers and serial numbers, (14) Web

Universal Resource Locator (URL), Universal Resource Locator (URL), (14)(14) biometric identifiers, including finger or voice prints, biometric identifiers, including finger or voice prints, (15)(15) full face photographic images and any comparable full face photographic images and any comparable

images, images, (16)(16) Internet Protocol address numbersInternet Protocol address numbers(17)(17) any other unique identifying number characteristic any other unique identifying number characteristic

or codeor code


Limited Data Sets may contain Limited Data Sets may contain certain types of direct identifiers, certain types of direct identifiers, while others must be removed:while others must be removed:

Limited Data SetsLimited Data Sets

Direct identifiers that must be Direct identifiers that must be removedremoved from the information for a from the information for a limited data set are:limited data set are:

(1) name, (1) name, (2) address information (other than city, State, (2) address information (other than city, State,

and zip code), and zip code), (3) telephone and fax numbers, (3) telephone and fax numbers, (4) e-mail address, (4) e-mail address, (5) Social Security number, (5) Social Security number, (6) certificate/license number, (6) certificate/license number, (7) vehicle identifiers and serial numbers, (7) vehicle identifiers and serial numbers, (8) URLs and IP addresses, (8) URLs and IP addresses, (9) full face photos and other comparable(9) full face photos and other comparable

images, images, (10) medical record numbers, health plan(10) medical record numbers, health plan

beneficiary numbers, and other account beneficiary numbers, and other account numbers, numbers,

(11) device identifiers and serial numbers, (11) device identifiers and serial numbers, (12) biometric identifiers including finger and (12) biometric identifiers including finger and

voice prints voice prints..

Limited Data SetsLimited Data Sets

Identifiers that are Identifiers that are allowedallowed in the in the limited data set are: limited data set are:

(1) admission, discharge and service dates, (1) admission, discharge and service dates, (2) birth date, (2) birth date, (3) date of death, (3) date of death, (4) age (including age 90 or over), (4) age (including age 90 or over), (5) geographical subdivisions such as state, (5) geographical subdivisions such as state,

county, city, precinct and five digit zip county, city, precinct and five digit zip code.code.


Deals with Individually Identifiable Deals with Individually Identifiable Health Information (IIHI) and Protected Health Information (IIHI) and Protected Health Information (PHI)Health Information (PHI)

Provides, for the first time ever, Federal Provides, for the first time ever, Federal protections for the privacy of protected protections for the privacy of protected health informationhealth information

Sets only a lower bound on protection – Sets only a lower bound on protection – stricter state laws would not be stricter state laws would not be trumped by this, but weaker ones wouldtrumped by this, but weaker ones would

Requires notification of information Requires notification of information practicespractices


Gives patients more control over their Gives patients more control over their informationinformation

Sets boundaries on the release of Sets boundaries on the release of informationinformation

Holds violators accountable with civil Holds violators accountable with civil and criminal penaltiesand criminal penalties

Allows for data to be released if it Allows for data to be released if it aides public health (e.g. statistics aides public health (e.g. statistics about a disease, de-identified patient about a disease, de-identified patient data)data)


Compliance date of April 14Compliance date of April 14thth, , 2003 (2004 for certain small 2003 (2004 for certain small covered entities)covered entities)

Designed entirely to control the Designed entirely to control the propagation and dissemination of propagation and dissemination of electronic informationelectronic information


Basically, data is allowed to be Basically, data is allowed to be accessed on a need-to-know basisaccessed on a need-to-know basis– E.g. use for health-care specific E.g. use for health-care specific

operationsoperations Fundraising, marketing, and Fundraising, marketing, and

research usually require separate research usually require separate and specific patient and specific patient authorizationsauthorizations

Privacy StandardsPrivacy Standards

Must have a procedure for Must have a procedure for complaints to be filedcomplaints to be filed

Covered Entities cannot require Covered Entities cannot require individuals to waive their rights individuals to waive their rights regarding HIPAAregarding HIPAA

Deceased patients’ information Deceased patients’ information still protected by HIPAAstill protected by HIPAA

Minimum NecessaryMinimum Necessary

When using or disclosing protected health When using or disclosing protected health information or when requesting protected information or when requesting protected health information from another covered health information from another covered entity, a covered entity must make entity, a covered entity must make reasonable efforts to limit protected health reasonable efforts to limit protected health information to the minimum necessary to information to the minimum necessary to accomplish the intended purpose of the use, accomplish the intended purpose of the use, disclosure, or requestdisclosure, or request

Does not apply to:Does not apply to:– Health care providersHealth care providers– Individuals concerning their own informationIndividuals concerning their own information– Certain legal needsCertain legal needs

Disclosures to Disclosures to Business AssociatesBusiness Associates A covered entity may disclose A covered entity may disclose

protected health information to a protected health information to a business associate and may allow a business associate and may allow a business associate to create or business associate to create or receive protected health information receive protected health information on its behalf, if the covered entity on its behalf, if the covered entity obtains satisfactory assurance that obtains satisfactory assurance that the business associate will the business associate will appropriately safeguard the appropriately safeguard the informationinformation

Disclosures to Disclosures to Business Associates Business Associates (cont)(cont) A contract between a CE and a A contract between a CE and a

business associate must ensure business associate must ensure that the associate will essentially that the associate will essentially comply with HIPAA.comply with HIPAA.

Whistleblower Whistleblower ProtectionProtection Disclosures by whistleblowers:Disclosures by whistleblowers: (i) The workforce member or business (i) The workforce member or business

associate believes in good faith that the associate believes in good faith that the covered entity has engaged in conduct covered entity has engaged in conduct that is unlawful or otherwise violates that is unlawful or otherwise violates professional or clinical standards, or that professional or clinical standards, or that the care, services, or conditions provided the care, services, or conditions provided by the covered entity potentially by the covered entity potentially endangers one or more patients, workers, endangers one or more patients, workers, or the public; and or the public; and

Whistleblower Whistleblower Protection (cont)Protection (cont) (ii) The disclosure is to: (ii) The disclosure is to: (A) A health oversight agency or public health (A) A health oversight agency or public health

authority authorized by law to investigate or otherwise authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the oversee the relevant conduct or conditions of the covered entity or to an appropriate health care covered entity or to an appropriate health care accreditation organization for the purpose of reporting accreditation organization for the purpose of reporting the allegation of failure to meet professional the allegation of failure to meet professional standards or misconduct by the covered entity; or standards or misconduct by the covered entity; or

(B) An attorney retained by or on behalf of the (B) An attorney retained by or on behalf of the workforce member or business associate for the workforce member or business associate for the purpose of determining the legal options of the purpose of determining the legal options of the workforce member or business associate with regard workforce member or business associate with regard to the conduct.to the conduct.

Research Privacy RulesResearch Privacy Rules

Based on HHS regulations from the Based on HHS regulations from the 1970’s that are now known as the 1970’s that are now known as the “Common Rule”“Common Rule”

Because HIPAA applies to care and not to Because HIPAA applies to care and not to research, this rule is still largely in effectresearch, this rule is still largely in effect

De-identified information can still be De-identified information can still be used widely, but research databases used widely, but research databases with large amounts of identifiable with large amounts of identifiable patient data cannotpatient data cannot

Research Privacy Rules Research Privacy Rules (cont)(cont) Requirements for tracking and accounting Requirements for tracking and accounting

of disclosures of patient data used in of disclosures of patient data used in research where no patient authorization is research where no patient authorization is obtainedobtained

Restrictions on recruitment of patients for Restrictions on recruitment of patients for clinical studiesclinical studies

Restrictions on the creation and Restrictions on the creation and maintenance of databases containing maintenance of databases containing identifiable individual health data for identifiable individual health data for research useresearch use

Research Privacy Rules Research Privacy Rules (cont)(cont) A requirement for a separate patient A requirement for a separate patient

authorization for the use of health data for authorization for the use of health data for researchresearch– A consent for treatment cannot be combined with A consent for treatment cannot be combined with

consent for researchconsent for research Creates substantial burden on conduct and Creates substantial burden on conduct and

oversight of human studiesoversight of human studies– Authorizations for research data must specify exactly Authorizations for research data must specify exactly

which data can be used by whom and for what which data can be used by whom and for what purposespurposes

– May be time-limitedMay be time-limited– Can be rescinded at any time, although not Can be rescinded at any time, although not

retroactivelyretroactively– Low-risk studies might not require authorizationLow-risk studies might not require authorization

Requirements of Requirements of AuthorizationsAuthorizations a description of the information to be used for research purposes;a description of the information to be used for research purposes; who may use or disclose the information who may use or disclose the information who may receive the informationwho may receive the information purpose of the use or disclosurepurpose of the use or disclosure expiration date of authorizationexpiration date of authorization how long the data will be retained with identifiershow long the data will be retained with identifiers individual’s signature and dateindividual’s signature and date right to revoke authorizationright to revoke authorization right to refuse to sign authorization (if this happens, the individual may right to refuse to sign authorization (if this happens, the individual may

be excluded from the research and any treatment associated with the be excluded from the research and any treatment associated with the research)research)

if relevant, that the research subject’s access rights are to be if relevant, that the research subject’s access rights are to be suspended suspended while the clinical trial is in progress, while the clinical trial is in progress, and thatand that the right to the right to access PHI will be reinstated at the conclusion of the clinical trial.access PHI will be reinstated at the conclusion of the clinical trial.

that information disclosed to another entity in accord with an that information disclosed to another entity in accord with an authorization may no longer be protected by the ruleauthorization may no longer be protected by the rule

Dept. of Health and Dept. of Health and Human Services (HHS)Human Services (HHS) Privacy and security regulations Privacy and security regulations

created by HHScreated by HHS Done so because of a key provision in Done so because of a key provision in

HIPAA which said that if congress did HIPAA which said that if congress did not specify these regulations by 1999, not specify these regulations by 1999, HHS had to do itHHS had to do it

Final privacy regulations issued in late Final privacy regulations issued in late 2000; final security regulations issued 2000; final security regulations issued in February 2003in February 2003

Punishments for Punishments for Wrongful Use or Wrongful Use or Disclosure of PHIDisclosure of PHI Up to $50,000 and 1 year in jailUp to $50,000 and 1 year in jail If under false pretenses, If under false pretenses,

$100,000 and 5 years in jail$100,000 and 5 years in jail If with intent to sell, up to If with intent to sell, up to

$250,000 and 10 years in jail$250,000 and 10 years in jail

OutlineOutline

Overview of HIPAAOverview of HIPAA Specifics of HIPAASpecifics of HIPAA Suggestions for implementationSuggestions for implementation Effects of HIPAAEffects of HIPAA ProblemsProblems QuestionsQuestions

TechnologiesTechnologies

Application Service Providers (ASPs)Application Service Providers (ASPs) Virtual Private Networks (VPNs)Virtual Private Networks (VPNs) BiometricsBiometrics Information Lifecycle Management Information Lifecycle Management

(ILM)*(ILM)*

* Actually, a collection of technologiesActually, a collection of technologies

ASPsASPs

Provide backend hardware and softwareProvide backend hardware and software Rent their services, usually on a monthly Rent their services, usually on a monthly

or yearly schedule, as opposed to or yearly schedule, as opposed to licensing their softwarelicensing their software– They take the responsibility of upgrading They take the responsibility of upgrading

their software and hardwaretheir software and hardware Many in the health care field rely on Many in the health care field rely on

ASPs. As a result, they are affected by ASPs. As a result, they are affected by HIPAA because covered entities must HIPAA because covered entities must ensure that ASPs are HIPAA compliant.ensure that ASPs are HIPAA compliant.

ASPs and HIPAAASPs and HIPAA

Must be cautious about scalability Must be cautious about scalability of securityof security

Because information is Because information is transmitted between the covered transmitted between the covered entities and the ASPs, it must be entities and the ASPs, it must be protected (by some sort of protected (by some sort of cryptography)cryptography)– Good solution: use a VPNGood solution: use a VPN

VPNsVPNs

Basically, a temporary, secure Basically, a temporary, secure link over a public network (e.g. link over a public network (e.g. the internet)the internet)

Cheaper than having a dedicated Cheaper than having a dedicated lineline

BiometricsBiometrics

Good way to uniquely identify Good way to uniquely identify people or entitiespeople or entities

Unfortunately, many current Unfortunately, many current biometric technologies are easily biometric technologies are easily fooledfooled

Not currently used very muchNot currently used very much

Information Lifecycle Information Lifecycle ManagementManagement A system for assessing the use of A system for assessing the use of

data and, based on usage, data and, based on usage, classifying data for efficiency of classifying data for efficiency of access and storageaccess and storage

Basic principles of ILM:Basic principles of ILM:– AssessmentAssessment– ClassificationClassification– AutomationAutomation

OutlineOutline


Dates of ComplianceDates of Compliance

10/16/2002 - Transactions and 10/16/2002 - Transactions and code setscode sets

4/14/2003 – Privacy Rule4/14/2003 – Privacy Rule 4/14/2003 – Business Associates4/14/2003 – Business Associates 4/20/2005 – Security Rule4/20/2005 – Security Rule

EffectsEffects

HIPAA caused a large number of HIPAA caused a large number of commercial products supporting commercial products supporting HIPAA to proliferate.HIPAA to proliferate.

Large financial strain on CE’s to Large financial strain on CE’s to implement changes to implement changes to infrastructure capable of infrastructure capable of supporting HIPAAsupporting HIPAA

Effects (cont)Effects (cont)

Too early to tell how effective Too early to tell how effective HIPAA is/will be for both HIPAA is/will be for both increasing the privacy and increasing the privacy and efficiency/economy of data efficiency/economy of data information exchange.information exchange.

OutlineOutline


Cases in which HIPAA Cases in which HIPAA caused problemscaused problems A patient between 50 and 70 years of age (exact age A patient between 50 and 70 years of age (exact age

and sex withheld in compliance with HIPAA) and sex withheld in compliance with HIPAA) underwent cardiac transplantation at the Tufts-New underwent cardiac transplantation at the Tufts-New England Medical Center. The care team was notified England Medical Center. The care team was notified two days after the operation that the donor's blood two days after the operation that the donor's blood cultures had revealed bacteremia. The infectious-cultures had revealed bacteremia. The infectious-disease consultant contacted the hospital that had disease consultant contacted the hospital that had cared for the donor to ascertain the identity of the cared for the donor to ascertain the identity of the bacterium so that antibiotic therapy could be properly bacterium so that antibiotic therapy could be properly tailored for the now-immunosuppressed recipient. The tailored for the now-immunosuppressed recipient. The donor's hospital stated that providing such information donor's hospital stated that providing such information would violate HIPAA, since the hospital did not have would violate HIPAA, since the hospital did not have authorization (from the now-deceased donor), authorization (from the now-deceased donor), notwithstanding the fact that time was of the essence notwithstanding the fact that time was of the essence for the recipient. Although clinical common sense for the recipient. Although clinical common sense should make this scenario a non-issue, HIPAA impeded should make this scenario a non-issue, HIPAA impeded clinical care. clinical care.

Cases in which HIPAA Cases in which HIPAA caused problems caused problems (cont)(cont) A patient between 40 and 50 years of age was A patient between 40 and 50 years of age was

referred to a cardiologist for the urgent evaluation of referred to a cardiologist for the urgent evaluation of chest pain after an exercise stress test. With the chest pain after an exercise stress test. With the patient in the examination room, the cardiologist patient in the examination room, the cardiologist asked that the tracings from the stress test be faxed asked that the tracings from the stress test be faxed for his review. At that time, the patient was extremely for his review. At that time, the patient was extremely anxious. The referring facility refused to fax the anxious. The referring facility refused to fax the tracings, stating that using a fax would violate HIPAA, tracings, stating that using a fax would violate HIPAA, notwithstanding the patient's oral demand that the notwithstanding the patient's oral demand that the tracings be faxed and assurance that the receiving fax tracings be faxed and assurance that the receiving fax machine was in a secure location. Although the machine was in a secure location. Although the tracings were eventually received, this tracings were eventually received, this misinterpretation of the HIPAA privacy regulation misinterpretation of the HIPAA privacy regulation added two full hours to this patient's evaluation. The added two full hours to this patient's evaluation. The patient became upset and required urgent patient became upset and required urgent catheterization and angioplasty the next day. catheterization and angioplasty the next day.

Life Insurance, Disability Life Insurance, Disability Insurance, and Workers Insurance, and Workers CompComp Currently, HIPAA only applies to health Currently, HIPAA only applies to health

care providers, clearing houses, and care providers, clearing houses, and plans all of which need access to PHI. It plans all of which need access to PHI. It does not address, however, life does not address, however, life insurance, disability insurance, and insurance, disability insurance, and workers comp, even though they all workers comp, even though they all require access to PHI.require access to PHI.

Many companies are taking a "better too Many companies are taking a "better too much than not enough" approach in much than not enough" approach in which they will often protect information which they will often protect information relating to these three things.relating to these three things.

Still, some PHI left unprotected.Still, some PHI left unprotected.

Possible detrimental Possible detrimental effects on:effects on: ResearchResearch CareCare

Problem to considerProblem to consider

An employee of a blood bank gets An employee of a blood bank gets a call from a hospital asking what a call from a hospital asking what the transfusion history is of a the transfusion history is of a patient he is transfusing. How do patient he is transfusing. How do you know the person calling really you know the person calling really has a right to know such info? has a right to know such info? How do you ID that person?How do you ID that person?

OutlineOutline


Documents

HIPAA Health Insurance Portability and Accountability Act of 1996 Adam Cushner