Cyber Forensic Reporting: Benefits, Elements, Process, Expert Witnesses, and Ethical Considerations

HIPAA: Impact on Clinical Practice

What is HIPAA and what effect may it have on our journal?

Current Topics in Health Care Law

You have accessThe ASHA LeaderBottom Line1 Sep 2011Patient Information Privacy Basics Kate RomanowJD Kate Romanow Google Scholar More articles by this author , JD https://doi.org/10.1044/leader.BML1.16092011.3 SectionsAbout ToolsAdd to favorites ShareFacebookTwitterLinked In ASHA recently hosted an online private-practice institute for audiologists and speech-language pathologists that focused on how to establish, manage, and grow a profitable private practice. Recorded lectures covered topics such as strategic business planning, fees and pricing, employment law basics, managing a fee-for-service practice, increasing referrals, using web-based and social media marketing, coding updates, Medicare billing, and claims and denials. Many of the participants in one of the sessions, “Data Privacy, Security, and Enforcement: HIPAA and More,” raised several questions during and after the institute on the Health Insurance Portability and Accountability Act (HIPAA). This article clarifies points discussed during the institute to help other clinicians understand HIPAA policies. The HIPAA privacy rule protects personal health information and outlines patients’ rights with respect to that information, while allowing disclosure of information needed for patient care. The HIPAA security rule specifies a series of administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of electronic protected health information. Electronic protected health information includes, for example, patient data stored on a computer hard drive, or data transmitted via a computer for billing purposes. The following questions and answers outline basic HIPAA privacy and security regulations. Q: Do the HIPAA regulations apply to me? HIPAA compliance is required by all “covered entities,” defined as health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form in connection with “transactions” covered under HIPAA. If you are a provider who, for example, sends patient information electronically to a billing company, then you are a “covered entity” and must comply with HIPAA regulations. Q: What transactions are covered under HIPAA? HIPAA regulations define “transaction” as the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions: Health care claims or equivalent encounter information. Health care payment and remittance advice. Coordination of benefits. Health care claim status. Enrollment and disenrollment in a health plan. Eligibility for a health plan. Health plan premium payments. Referral certification and authorization. First report of injury. Health claims attachments. Other transactions that the secretary of health and human services may prescribe by regulation (45 C.F.R. Section 160.103). Q: What does “electronic form” mean? HIPAA does not define “electronic form.” It does, however, define “electronic media” as the following: Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card. Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet (using Internet technology to link a business with information accessible only to collaborating parties), dial-up lines, leased lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including those by paper (facsimile) and by voice (telephone), are not considered e-transmissions via electronic media because the information did not exist in electronic form before the transmission (45 C.F.R. Section 160.103). Q: If I am a covered entity, what do I need to do to comply with HIPAA? You must protect the privacy of patient information. You must safeguard patient information sent electronically. For example, you must inform patients about the HIPAA privacy practices you observe and train employees about HIPAA requirements. Q: Are there sample notices of privacy practices? More information about HIPAA privacy notices is available at the Department of Health and Human Services website. ASHA includes a sample notice of privacy practices in its Practice Management Tools for SLPs available in the ASHA online store. Q: Where I can get more information? ASHA’s reimbursement web page includes an extensive section on HIPAA. An article in The ASHA Leader also outlines some basics. The Office of Civil Rights, which enforces the privacy and security rule, has information on its website. The Workgroup for Electronic Data Interchange [PDF] (of which ASHA is a member) has information to help small practices comply with HIPAA. The full HIPAA regulations are available at the Department of Health and Human Services website. (Be aware, however, that the most current version may not be posted.) Author Notes Kate Romanow, JD, director of health care regulatory advocacy, can be reached at [email protected]. Advertising Disclaimer | Advertise With Us Advertising Disclaimer | Advertise With Us Additional Resources FiguresSourcesRelatedDetails Volume 16Issue 9September 2011 Get Permissions Add to your Mendeley library History Published in print: Sep 1, 2011 Metrics Current downloads: 271 Topicsasha-topicsleader_do_tagasha-article-typesleader-topicsCopyright & Permissions© 2011 American Speech-Language-Hearing AssociationLoading ...

The use of technology in counseling is expanding. Ethical use of technology in counseling practice is now a stand-alone section in the 2014 American Counseling Association Code of Ethics. The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act provide a framework for best practices that counselor educators can utilize when incorporating the use of technology into counselor education programs. This article discusses recommended guidelines, standards, and regulations of HIPAA and HITECH that can provide a framework through which counselor educators can work to design policies and procedures to guide the ethical use of technology in programs that prepare and train future counselors.Keywords: counselor education, technology, best practice, HIPAA, HITECHThe enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) brought forth a variety of standards addressing the privacy, security and transaction of individual protected health (PHI; Wheeler & Bertram, 2012). According to the language of HIPAA (2013, §160.103), PHI is defined as individually identifiable health information (p. 983) that is transmitted by or maintained in electronic media or any other medium, with the exception of educational or employment records. identifiable health information is specified as follows:Information, including demographic data, that relates to:* the individual's past, present or future physical or mental health or condition,* the provision of health care to the individual, or* the past, present, or future payment for the provision of health care to the individual, and that identifies the individual for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health includes many common identifiers. (U.S. Department of Health and Human Services [HHS], n.d.-b, p. 4)The HIPAA standards identify 18 different elements that are considered to be part of one's PHI. These include basic demographic data such as names, street addresses, elements of dates (e.g., birth dates, admission dates, discharge dates) and phone numbers. It also includes such as vehicle identifiers, Internet protocol address numbers, biometric identifiers and photographic images (HIPAA, 2013, § 164.514, b.2.i).According to language in HIPAA, the applicability of its standards, requirements and implementation only apply to entities, which are (1) a health plan (2) a health care clearinghouse (3) a health care provider who transmits any health in electronic form in connection with [HIPAA standards and policies] (HIPAA, 2013, § 160.102). Covered entities have an array of required and suggested privacy and security measures that they must take into consideration in order to protect individuals' PHI; failure to protect individuals' could result in serious fines. For example, one recent ruling found a university medical training clinic to be in violation of HIPAA statutes when network firewall protection had been disabled. The oversight resulted in a $400,000 penalty (Yu, 2013). Moreover, the recent implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 increased the fines resulting from failure to comply with HIPAA, including fines for individuals claiming they did not know that can range from $100-$50,000 (Modifications to the HIPAA Privacy, 2013, p. 5583). The final omnibus ruling of HIPAA-HITECH, enforcing these violations, went into effect on March 26, 2013 (Modifications to the HIPAA Privacy, 2013; Ostrowski, 2014). Enforcement of the changes from the HITECH Act on HIPAA standards began on September 23, 2013, for covered entities (Modifications to the HIPAA Privacy, 2013).Academic departments and universities must understand the importance of HIPAA and HITECH regulations in order to determine whether the department or university is considered a covered entity. …

Time to revisit the Health Insurance Portability and Accountability Act (HIPAA)? Accelerated telehealth adoption during the COVID-19 pandemic

A Matter of Trust: The Cost of HIPAA Non-Compliance

Teleorthodontics.

What Ethical Responsibilities Do I Have With Regard to Radiographs for My Patients?

Health Data Breaches Compromised 29 Million Patient Records in 2010–2013

The investigation provides recommendations for establishing institutional collection guidelines and policies that protect the integrity of the historical record, while upholding the privacy and confidentiality of those who are protected by Health Insurance Portability and Accountability Act (HIPAA) or professional ethical standards. The authors completed a systematic historical investigation of the concepts of collection integrity, privacy, and confidentiality in the formal and informal legal and professional ethics literature and applied these standards to create best practices for institutional policies in these areas. Through an in-depth examination of the historical concepts of privacy and confidentiality in the legal and professional ethics literature, the authors were able to create recommendations that would allow institutions to provide access to important, yet sensitive, materials, while complying with the standards set by HIPAA regulations and professional ethical expectations. With thoughtful planning, it is possible to balance the integrity of and access to the historical record of sensitive documents, while supporting the privacy protections of HIPAA and professional ethical standards. Although it is theorized that collection development policies of institutions have changed due to HIPAA legislation, additional research is suggested to see how various legal interpretations have affected the integrity of the historical record in actuality.

This technical note provides a description of the methodology used and observations made while mapping the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to the practice questions found in the CERT® Cyber Resilience Review (CRR). The mapping that emerged allows health care and public health organizations to use CRR results not only to gauge their cyber resilience, but to examine their current baseline with respect to the HIPAA Security Rule and the NIST Cybersecurity Framework (CSF). Both the CRR and HIPAA Security Rule have been mapped to the NIST CSF. The authors used these mappings and their extensive experience with CRRs to propose the mapping found in this technical note. The mappings between the CRR practices and the HIPAA Security Rule are intended to be informative and do not imply or guarantee compliance with any laws or regulations. The proposed mapping shows that the CRR provides complete coverage of the HIPAA Security Rule. As a result, organizations that must adhere to the HIPAA Security Rule can use the CRR to indicate their compliance with the Security Rule.

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to protect patients' basic rights to privacy and their control over the disclosure of their personal health information. Advances in and the more widespread use of communication technology were increasing the public's concerns over the ease with which their health information could be transmitted, how protected that information was during such transmissions, and their lack of approval for the use of that information by known and unknown third parties. This article, the first of two papers focusing on HIPAA, discusses HIPAA from the clinical perspective and focuses primarily on the HIPAA Privacy Rule. Under what circumstances can a covered entity disclose protected health information? What are the ethical issues inherent in HIPAA? What does HIPAA require of covered entities? What are the implications of HIPAA for professional nurses? The goal of HIPAA is to ensure the protection of confidential health information through having appropriate security systems to guard against unintentional disclosure of that information.

This research project examines privacy legal issues in public transportation and para-transit services arising from the Health Insurance Portability and Accountability Act (HIPAA) and other privacy laws. Public transportation agencies, including para-transit services, maintain some medical information about their clients. These include application materials filed by clients or their health professionals during the eligibility process; records created during the review of these applications; and databases, updated as service is provided, which record customers’ destinations, including clinics, hospitals, doctors’ offices, and dialysis centers. HIPAA includes a privacy rule that provides federal protections for personal health information held by covered entities. According to guidance available from the United States Department of Health and Human Services, a “covered entity” is: a health care provider that conducts certain transactions in electronic form; a health care clearinghouse; or a health plan. On the face of it, transit agencies that provide public transportation, including para-transit services, would not normally be covered entities and the HIPAA privacy rule would not apply to them. However, many transit agencies have been advised by attorneys that HIPAA does apply, at least for certain types of information. Regardless of whether HIPAA itself applies, various state laws or other federal laws also may limit transit agencies’ ability to share sensitive health-related information. Differing understandings of what HIPAA requires have been known to limit the ability to coordinate Medicaid and Americans with Disabilities Act paratransit trips. There is also an issue of whether basic trip information like origin, destination, date, time, and the need for an accessible vehicle is medical information that triggers HIPAA requirements. This digest should be helpful to attorneys, transit and para-transit providers, medical providers, planners, transit administrators, and the community at large.

Forensic mental health providers (FMHPs) typically do not release records to the examinee. The Health Insurance Portability and Accountability Act (HIPAA) federal regulations might change this position, given that they have created a basic right of access to health care records. This legislation has led to a disagreement regarding whether HIPAA regulates forensic evaluations. The primary argument (and the majority of scholarly citations) has been that such evaluations do not constitute “health care.” Specifically, in this position, the nature and purpose of forensic evaluations are not considered related to treatment (amelioration of psychopathology) of the patient. In addition, it asserts that HIPAA applies solely to treatment services; thus, forensic evaluations are inapplicable to HIPAA. We describe the evidence for and against this argument, the strengths and limitations of the evidence, and recent court decisions related to it. The weakest part of the “HIPAA does not regulate forensics” argument is that HIPAA has no exclusion criteria based on type of services. It only creates an inclusion criteria for providers; once “covered,” all services provided by that provider are thence forward “covered.” Authoritative evidence for patient access can be found in the HIPAA regulations themselves, the US Department of Health and Human Services’ commentaries, additional statements and disciplinary cases, the research literature, other agency opinion, and legal opinion. It appears that the evidence strongly suggests that, for those forensic mental health practitioners who are covered entities, HIPAA does apply to forensic evaluations. The implication is that FMHPs potentially face various federal, state, and civil sanctions for refusing to permit patient access to records.