HIPAA PRIVACY &
CONFIDENTIALITY
HIPAA
 Health Insurance Portability and Accountability Act
 was enacted by the 104th United States Congress and signed by President Bill Clinton in
1996
 It is a legislation which provides security provisions and data privacy, in order to keep
patients’ medical information safe.
“The privacy and security of patient health information is a top priority for patients and their
families, health care providers and professionals, and the government. Federal laws require
many of the key persons and organizations that handle health information to have policies
and security safeguards in place to protect your health information — whether it is stored on
paper or electronically.” (HealthIT.gov,2018)
PRIVACY V.S. CONFIDENTIALITY
 Privacy:
 refers to the right of an individual to keep his or her health information private.
(CDC,2012)
 Confidentiality:
 refers to the duty of anyone entrusted with health information to keep that information
private. (CDC,2012)
PRIVACY RULE
 Privacy rule went into effect April 14,2003.
 Defines how a patient’s information is used and disclosed.
 Gives patient’s privacy rights and more control over their own health information.
 Outlines ways to protect Personal Health Information (PHI).
SECURITY RULE
 Security (IT) regulations went into effect April 21,2005.
 Security is controlling:
 Confidentiality of electronic PHI.
 Storage of electronic PHI.
 Access to electronic PHI.
PHI? WHAT IS IT?
 Protected Health Information (PHI) is individually identifiable health
information that is:
 Created or received by a health care provider, health plan, employer, or health
care clearinghouse and that:
Relates to past, present, or future physical or mental health or condition of an
individual;
Relates to the provision of health care to an individual.
Relates to the past, present, or future payment for the provision of health
care related to an individual.
PHI INCLUDES
 Information in the health record, such as:







Encounter/visit documentation
Lab results
Appointment dates/times
Invoices
Radiology films and reports
History and physicals (H&Ps)
Patient Identifiers
• Patient Identifiers =
















Names
Medical Record Numbers
Social Security Numbers
Account Numbers
License/Certification numbers
Vehicle Identifiers/Serial numbers/License plate numbers
Internet protocol addresses
Health plan numbers
Full face photographic images and any comparable images
Web universal resource locaters (URLs)
Any dates related to any individual (date of birth)
Telephone numbers
Fax numbers
Email addresses
Biometric identifiers including finger and voice prints
Any other unique identifying number, characteristic or code
USE & DISCLOSURE
When PHI is reviewed or used
internally. (Audits, Training,
Customer Service, or Quality
Improvement)
When PHI is released or provided to
someone outside the facility. (Attorney,
patient, faxing records to another provider)
“The privacy and security of patient health information is a top priority for patients and their
families, health care providers and professionals, and the government. Federal laws require many of
the key persons and organizations that handle health information to have policies and security
safeguards in place to protect your health information — whether it is stored on paper or
electronically.” (HealthIT.gov,2018)
WHY DO WE SAFEGUARD?
 Patient confidentiality is one of the most important pillars of medicine.
Protecting the private details of a patient is not just a matter of moral respect, it is
essential in retaining the important bond of trust between the doctor and the
individual.
Utah Department of Health confirmed that a server containing personal health
information (PHI) of some 780,000 patients had been actively hacked into starting in
March(2012). Officials reported that thieves had begun removing information from the
server. Addresses, dates of birth, Social Security numbers, diagnoses codes, national
provider identification numbers, billing codes and taxpayer identification numbers
were all included on the server. The Utah Department of Technology Services shut
down the server when the breach was discovered April 2(2012). The Utah breach
stands as the 9th largest data breach ever reported to the HHS.
(Breaches,2013)
WHY DO WE DO IT?
 there’s a much greater threat to our personal data that few are
thinking about at all. That threat is the theft and sale of our health
records on the black market, a thriving business with “dark web”
online stores that don’t look much different from an Amazon
marketplace. In fact, there were nine times more medical than
financial records breached in 2016 — 27 million — representing
nearly 10% of the U.S. population. (Lord, 2017)
(Daitch,2020)
WHO IS RESPONSIBLE?
 It's Everybody's Job:
CLINICAL
•
•
•
•
•
•
•
•
Physician (ER doctors, surgeons, hospitalists)
Nurse (CRNA, RN, LPN/LVN, CNS)
Techs (Radiology Tech, Ultrasound Tech, Surgical Tech)
Therapist (Physical Therapist, Radiation Therapist)
Medical Assistants
Pharmacists
Medical Technologist, Medical Laboratory Technologist
Dietitian
Non-Clinical
•
•
•
•
•
•
•
•
Case Manager/Social Worker
Accountant
Human Resources & Recruiting
Executive: CEO, CFO, CIO
Information Technology
Food Service
Environmental Services
Administrative Assistant
HOW DO WE SAFEGUARD?
1.
Develop a comprehensive patient privacy and confidentiality policy
https://medicalcityhealthcare.com/about/notice-of-privacy-practices.dot
HOW CAN WE DO IT?
2. Ensure the confidentiality policy extends to partners.
https://medicalcityhealthcare.com/about/notice-of-privacy-practices.dot
HOW CAN WE DO IT?
3. Make sure all confidential information is stored within secure systems.
https://ap.idf.medcity.net/IdentityFederationPortal/Login/FormLogin/HCA?
HOW CAN WE DO IT?
4. Implement best practice IT security policies.












Consider biometric security
Form a hierarchical cybersecurity policy
Employ a risk-based approach to security
Back up your data
Manage IoT security
Use multi-factor authentication
Handle passwords securely
Use the principle of least privilege
Keep an eye on privileged users
Monitor third-party access to your data
Be wary of phishing
Raise employee awareness
IT BEST PRACTICES
 Consider biometric security
 Biometrics ensures fast authentication, safe access management, and precise employee
monitoring.
 Voice recognition, fingerprint scans, palm biometrics, facial recognition, behavioral
biometrics, and gait analysis are perfect options to identify whether or not users are who
they claim to be.
 Behavioral biometrics analyzes the way users interact with input devices. If abnormal
behavior is detected, a tool sends a warning to security officers so they can react
immediately. Here are several types of behavioral biometrics that can be employed by
user and entity behavior analytics (UEBA) systems:
 Keystroke dynamics – considers typing speed and the tendency to make typical mistakes in
certain words to create user behavior profiles
 Mouse dynamics – tracks the time between clicks and the speed, rhythm, and style of cursor
movement
 Eye movement biometrics – uses eye and gaze tracking devices to record videos of eye
movement and detect unique patterns
IT BEST PRACTICES
 Form a hierarchical cybersecurity policy
 a written policy serves as a formal guide to all cybersecurity measures used in your
company. It allows your security specialists and employees to be on the same page and
gives you a way to enforce rules that protect your data.
 Employ a risk-based approach to security
 Pay attention to the risks that your company faces and how they affect the bottom line.
Your best tool here is a thorough risk assessment.
 Back up your data
 Ensure the security of your data by regularly backing it up.
(12 Best cybersecurity, 2020)
IT BEST PRACTICES
 Manage IoT security
 The Internet of Things market continues to grow. However, no matter
how badly we want to see new technologies, safety always comes first.
The most challenging thing about IoT devices is their access to sensitive
information.
 Conduct penetration testing to understand the real risks and plan your security
strategy accordingly.
 Provide encryption for both data at rest and in transit (end-to-end encryption).
 Ensure proper authentication to allow only trusted connections to endpoints.
 Don’t use default hard-coded credentials: commonly used passwords are easy to
find on the internet.
 Purchase a secure and up-to-date router and enable the firewall.
 Develop a scalable security framework to support all IoT deployments.
IT BEST PRACTICES
 Use multi-factor authentication
 Multi-factor authentication (MFA) is a must-have solution for advanced security strategies.
 Handle passwords securely
 The best way to ensure proper security is to use specialized tools, such as password vaults and PAM
solutions.
IT BEST PRACTICES
 Use the principle of least privilege
 Granting new employees all privileges by default allows them to access sensitive data
even if they don’t necessarily need to. Such an approach increases the risk of insider
threats and allows hackers to get access to sensitive data as soon as any of your
employee accounts is compromised. A much better solution is to use the principle of
least privilege.
 The principle of least privilege seems similar to the zero trust security model.
 The zero trust practice says to grant access only to those users and devices that have already
been authenticated and verified in the system.
(12 Best cybersecurity, 2020)
IT BEST PRACTICES
 Keep an eye on privileged users
 Limit the number of privileged users by implementing the principle of least privilege.
 Make sure that privileged accounts are deleted immediately whenever people using
them are terminated.
 Employ user activity monitoring solutions to record any actions taken inside your
network.
 Monitor third-party access to your data
 User activity monitoring should also be used in conjunction with one-time passwords in
order to provide full logging of all user actions so you can detect malicious activity and
conduct investigations when necessary.
IT BEST PRACTICES
 Be wary of phishing
 Your basic defense can be simple and consists of only two steps:
 Get a properly configured spam filter and ensure that the most obvious spam is always blocked.
 Educate your employees about popular phishing techniques and the best ways to deal with
them.
 Raise employee awareness
 A sure way to deal with negligence and security mistakes by your employees is to
educate them on why safety matters.
VIOLATIONS
 Three types of violations
 Incidental
 Accidental
 Intentional
INCIDENTAL VIOLATIONS
 If reasonable steps are taken to safeguard a patient’s information and a
visitor happens to overhear or see PHI that you are using, you will not be
liable for that disclosure.
 Incidental disclosures are going to happen (even in the best of
circumstances).
ACCIDENTAL VIOLATIONS
 Mistakes happen. If you mistakenly disclose PHI or provide
confidential information to an unauthorized person or breach the
security of confidential data, you must
 Acknowledge the mistake and notify your supervisor and the Privacy Officer immediately.
 Learn from the error and help revise procedures (when necessary) to prevent it from happening
again.
 Assist in correcting the error only as requested by your leader or the Privacy Officer. Don’t
cover up or try to make it “right” by yourself.
INTENTIONAL VIOLATIONS
 If you ignore the rules and carelessly or deliberately use or disclose protected health
or confidential information, you can expect:
 Disciplinary action, up to and including termination
 Civil and/or criminal charges
REFERENCES
 “10 Largest HIPAA Breaches of 2012.” Healthcare IT News, 10 Jan. 2013,
www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012.
 “12 Best Cybersecurity Practices in 2020.” Ekran System, 20 Jan. 2020,
www.ekransystem.com/en/blog/best-cyber-security-practices.
 Daitch, Heidi. “Real Identity Theft Stories Case #9: Medical ID Theft: IdentityForce®.” We
Aren't Just Protecting You From Identity Theft. We Protect Who You Are., 6 Feb. 2020,
www.identityforce.com/blog/real-identity-theft-stories-part-9.
 “HIPAA Basics.” HealthIT.gov, 21 May 2018, www.healthit.gov/topic/privacy-security-andhipaa/hipaa-basics.
 Lord, Robert. “The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit
Cards.” Council Post, 15 Dec. 2017, 7:30 AM,
www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-isin-your-medical-records-not-credit-cards/#527464e91b59.
 “Privacy & Confidentiality.” Centers for Disease Control and Prevention, Centers for Disease
Control and Prevention, 14 Mar. 2012, www.cdc.gov/aging/emergency/legal/privacy.htm.