Understanding Healthcare Legislation & Terminology

Understanding Healthcare Legislation & Terminology
go anywhere. do more.
3M Optical Systems Division
Specialty Display Business
3M Business Name
What is HIPAA?
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
 HIPAA = Health Insurance Portability and Accountability Act of 1996
 Specifies laws for the protection and use of Protected Health Information (PHI)
 Comprised of 4 main rules:
1.
HIPAA Privacy Rule - protects the privacy of individually identifiable health information (IIHI)

Requires covered entities and business associates to implement administrative, technical,
and physical safeguards in place to protect the privacy of protected health information

The Department of Health & Human Services lists the use of computer monitor privacy
filters as an example of a physical safeguard for PHI*
* “Guide to Privacy and Security Health Information” by the Office of the National
Coordinator for Health Information Technology; Department of Health & Human Services
2.
HIPAA Security Rule - sets national standards for the security of electronic protected PHI
3.
HIPAA Breach Notification Rule – requires covered entities and business associates to provide
notification following a breach of unsecured PHI
4.
Patient Safety Rule – confidentiality provisions, which protect IIHI being used to analyze patient
safety events and improve patient safety
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
3M Business Name
What is HIPAA? - Continued
 HIPAA basically requires three things:
1. Integrity of information – the medical record must be accurate
2. Confidentiality – The medical record should only be seen by those with a need to know and all
uses of that data should be knowable by the individual.
3. Availability – The medical record must be available, in essence, no reasonably avoidable
downtime
 Administered by the Dept. of Health and Human Services (HHS) and enforced by the Office for
Civil Rights (OCR) – sub-agency of the U.S. Department of Education
 HHS and OCR does not endorse any private consultants' or education providers' seminars,
materials or systems, and do not certify any persons or products as "HIPAA compliant."
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
3M Business Name
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
What is the HIPAA Omnibus Rule?
 It was an update to the HIPAA Act. The main, or most important/relevant, changes were:
 It extended HIPAA to include business associates and their subcontractors in addition to
covered entities.
– Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules'
requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to
their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions,
the covered entity must have a written business associate contract or other arrangement with the business associate that establishes
specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’
requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business
associates are directly liable for compliance with certain provisions of the HIPAA Rules. If an entity does not meet the definition of a
covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and
“covered entity” at 45 CFR 160.103
Strengthened penalties for violations:
 Failure to comply with HIPAA rules is subject to civil penalties of between $100 and
$25,000 per violation during a calendar year.
 Privacy breaches are subject to penalties and fines of up to $1.5 million per year for all
violations of an identical provision.
 The HIPAA Omnibus Interim Rule actually went into effect in 2009 and the rule was finalized in
2013.

© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
3M Business Name
What is HITECH?
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
 HITECH (Health Information Technology for Economic and Clinical Health Act) - enacted under Title XIII of
the American Recovery and Reinvestment Act (ARRA)

HITECH was passed in 2010 in order to update HIPAA rules and provide federal funds for deploying
electronic medical records (EMR), also referred to as electronic health records (EHR). HITECH upgraded
HIPAA because medical records were now in digital form, and as a result, they needed new rules for
protection and availability
a)
Enforcement arm of HIPAA and strengthened HIPAA. Implements a tiered system of civil monetary
penalties for noncompliance and allows state attorney generals to file civil actions for HIPAA violations.
b)
Offers eligible healthcare organizations monetary incentives to encourage the adoption of EHR
technology - also known as “Meaningful Use Programs”
i.
Up to $25 billion in incentives being offered for EHR purchases via Medicare and Medicaid through
2015
ii. Protecting patients’ privacy and securing their health information is a core requirement of the
program in order to receive its incentives
iii. A healthcare practice is responsible for taking the steps needed to protect the confidentiality of
health information
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
3M Business Name
What is Protected Health Information(PHI)?
Protected Health Information (PHI) is individually identifiable health information transmitted or maintained
by a covered entity (CE) or its Business Associate (BA) in any form or medium.
Reference: 45 CFR 160.103
 Reveals the state of a person’s health
 Identifies an individual’s:
 Past, present or future physical or mental health
 Past, present, or future health care
 Past, present, or future health care payment
 Gives reasonable basis for determining a person’s identity
 ePHI is any PHI transmitted electronically
 PHI may be in any form or medium
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
3M Business Name
What is Individually Identifiable Health Information (IIHI)?
Individually Identifiable Health Information (IIHI) is information that is a subset of health
information, including demographic information collected from an individual.
Reference: 45 CFR 160.103
Name
Any address specification such as street, city, county,
precinct or zip code
All dates except for the year including birth date, admission
date, discharge date, date of death and all ages over 89
Telephone number
Fax number
Electronic mail address
Social Security number
Medical record number
Health plan beneficiary number
Account number maintained by the healthcare provider
© 3M 2013. All Rights Reserved. CONFIDENTIAL
Certificate or license number such as driver’s license number
Vehicle identifier and serial number including license plate number
Medical device identifier and serial number such as pace maker
serial number
Web site address
Internet protocol (IP) address number
Biometric identifier including finger & voice prints
Full face photographic images and any comparable image
Any other unique identifying number characteristic or code
If any of the above data is transmitted or maintained, it is
PHI and must be protected
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
3M Business Name
What is a Covered Entity?
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
A Covered Entity is one of the following:
1.Health Care Providers
 Includes: doctors, clinics, psychologists, dentists, chiropractors, nursing
homes, pharmacies
2. Health Plans
 Includes: Health insurance companies, HMOs, Company health plans, and
Government programs that pay for health care, such as Medicare, Medicaid,
and the military and veterans health care programs
3. Health Care Clearinghouses
 Includes entities that process nonstandard health information they receive
from another entity into a standard (i.e., standard electronic format or data
content), or vice versa.
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
3M Business Name
What is a Business Associate?
 A “business associate” is a person or entity that performs certain functions or activities that involve the use or
disclosure of protected health information on behalf of, or provides services to, a covered entity.
― A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan,
or health care clearinghouse can be a business associate of another covered entity.
 Business associate functions and activities include: claims processing or administration; data analysis, processing or
administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management;
administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.
Examples of Business Associates:
 A third party administrator that assists a health plan with claims processing.
 A CPA firm whose accounting services to a health care provider involve access to protected health information.
 An attorney whose legal services to a health plan involve access to protected health information.
 A consultant that performs utilization reviews for a hospital.
 A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a
health care provider and forwards the processed transaction to a payer.
 An independent medical transcriptionist that provides transcription services to a physician.
 A pharmacy benefits manager that manages a health plan’s pharmacist network.
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
3M Business Name
Glossary
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
 Ambulatory Care
A personal healthcare consultation, treatment, or intervention using advanced medical technology or procedures delivered on an outpatient
basis – usually consists of clinics and smaller offices vs. hospitals or inpatient types of
 Anonymized -Previously identifiable data that have been deidentified and for which a code or other link no longer exists. An investigator would
not be able to link anonymized information back to a specific individual.
 Anonymous - Data that was collected without identifiers and that were never linked to an individual. Coded data are not anonymous.
 Business Associates
Anyone who has access to patient information, whether directly, indirectly, physically or virtually. Additionally, any organization that provides
support in the treatment, payment or operations is considered a business associate, i.e. an IT company or a billing and claims processing
company. Other examples include a document destruction company, a telephone service provider, accountant or lawyer. The business
associates also have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administrative and technical
safeguards. A business associate does not work under the covered entity’s workforce, but instead performs some type of service on their
behalf.
 Business Associate Agreement
The agreement standard document that clearly defines the roles and responsibilities of a business associate and the covered entity. The other
key piece of the Business Associates Agreement is the assurance that businesses will take proper steps to implement the appropriate
administrative, physical and technical safeguards.
 Covered Entities (CE)
Anyone who provides treatment, payment and operations in healthcare. It could include a doctor’s office, dental office, clinics, psychologist,
nursing home, pharmacy, hospital or home healthcare agency. This also includes health plans, health insurance companies, HMOs, company
health plans and government programs that pay for health care. Health clearing houses are also considered covered entities.
 Electronic Data Interchange (EDI)
The communication or exchange of business documents between companies via computer.
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
3M Business Name
HIPAA Glossary
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
 Electronic Health Records (EHR)
Electronic health records are any electronic record of patient health information generated within a clinical institution or environment, such as a
hospital or doctor’s office. This may include medical history, laboratory results, immunizations, demographics, etc.
 Electronic Medical Records (EMR)
 Electronic Protected Health Information (EPHI)
All individually identifiable health information that is created, maintained or transmitted electronically.
 Healthcare Clearinghouse
An organization that standardizes health information. One example is a billing company that processes data from its initial format into a
standardized billing format.
 Health Information
Patient information collected by a health plan, health care provider, public health authority, employer, healthcare clearinghouse or other
organization that falls under covered entity.
 Healthcare Insurance Portability and Accountability Act (HIPAA)
Developed in 1996, the acronym HIPAA stands for Healthcare Insurance Portability and Accountability Act. Initially created to help the public
with insurance portability, they eventually built administrative simplifications that involved electronic, medical record technology and other
components. In addition, they built a series of privacy tools to protect healthcare data.
 Health Information Technology for Economic and Clinical Health (HITECH)
In 2009, as part of the American Recovery and Reinvestment Act (ARRA), there was an act within that called HITECH, short for The Health
Information Technology for Economic and Clinical Health Act. The act included incentives offered to physicians in private practices, as well as
institutional practices to implement and adopt electronic medical records. In addition to incentives, the act included a series of fines to help
enforce HIPAA rules. HITECH also mandated that business associates of covered entities, as well as the covered entities themselves, were
responsible for the same level of HIPAA compliance.
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
3M Business Name
HIPAA Glossary
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
 HIPAA Violations
If a company fails to comply with HIPAA rules, they are subject to both civil and criminal penalties.

Civil Penalties
Established by the American Recovery and Reinvestment Act of 2009 (ARRA), the tiered civil penalty structure below determines the cause and
consequences of the HIPAA breaches. The Secretary of the Department of Health and Human Services has the ability to ultimately determine fines and
penalties due to the extent of the violation on a case-by-case basis.

Due Diligence
An organization is in violation, but they have taken every possible step they could have foreseen to prevent that.
Minimum fine: $100 per incident with annual maximum of $25,000 for repeat violations
Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations

Reasonable Cause
The steps have been taken, but something was not addressed. For example, a company went into a HIPAA audit and provided a gap analysis, but
something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect.
Minimum fine: $1,000 per incident with annual maximum of $100,000 for repeat violations
Maximum fine: $50,000 per incident with annual maximum of $1.5 million for repeat violations

Willful Neglect
There are two types of willful neglect. The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of
time.
Minimum fine: $10,000 per incident with annual maximum of $1.5 million for repeat violations
Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations The second type of willful neglect is when a company
ignores the HIPAA law and does not correct their mistake.
Minimum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations
Maximum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations

Criminal Penalties
The U.S. Department of Justice established who can be held liable for HIPAA violations due to criminal activity. This includes covered entities and any
specified individual working under a covered entity. Anyone who knowingly misuses health information can be fined up to $50,000 including up to a
year of imprisonment. More serious offenses call for higher fines and prison time.
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.
3M Business Name
HIPAA Glossary
SLIVER montage goes here. Delete and replace with sliver. Send sliver to back.
 HIPAA Audit
A HIPAA audit is based off a set of regulations, standards and implementation specifications. The audit is an analysis that helps to pinpoint the
organization’s current state and what steps need to be taken to get the organization compliant.
―
―
An evaluation is part of the audit - a company must perform an evaluation and undergo periodic evaluations once a year at minimum. As technology changes, different
components are added to an organization’s infrastructure and they should be re-evaluated.
While covered entities need to undergo HIPAA audits, third-party business associates also need to comply. This includes any company that might provide services for a covered
entity, for example, an application hosted in a cloud and provided to a covered entity.
 Individually Identifiable Health Information
A subset of health information, this includes demographic information about an individual’s health that identifies or can be used to identify the
individual. This includes name, address, date of birth, etc.
 OCR HIPAA Audit Protocol
Up through early 2012, there was no federal standard for third-party auditors to conduct a HIPAA audit. With the publication of the new Office
for Civil Rights audit protocol, auditors are able to gain a more consistent direction on how the OCR will conduct HIPAA audits in the future.
The new protocol covers requirements found in the HIPAA Security Rule, Privacy Rule and Breach Notification Rule. Read more here.
 Privacy Rule
The part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a
patient’s own right to access.
 Protected Health Information (PHI)
This includes any individually identifiable health information collected from an individual by a healthcare provider, employer or plan that
includes name, social security number, phone number, medical history, current medical condition, test results and more.
 Security Rule
The part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted
electronically.
© 3M 2013. All Rights Reserved. CONFIDENTIAL
* This information is intended for general informational purposes only and is not intended to give specific legal or compliance advice.