Difference between revisions of "Protected Health Information (PHI)"
| Line 8: | Line 8: | ||
PHI is found in many locations in the [[EMR|electronic medical record]]. Data can be found in medical records, billing records, insurance/benefit enrollment and payment, claims payment, and case management records. | PHI is found in many locations in the [[EMR|electronic medical record]]. Data can be found in medical records, billing records, insurance/benefit enrollment and payment, claims payment, and case management records. | ||
| + | |||
| + | ==Protected Health Records== | ||
| + | |||
| + | Security and privacy go hand in hand. Security is about controlling access to electronic Personal Health Information; privacy is about controlling how electronic, oral, and written Personal Health Information is used and disclosed. Covered entities need to make it a top priority to establish and implement policies and procedures to protect patient information (1). | ||
| + | |||
| + | ==Compliance== | ||
| + | Organizations compliance guidelines, like law and industry codes reflect and are intended to serve patients by safeguarding medical information, enabling us to advance patient care while protecting patient privacy. | ||
| + | |||
| + | Fundamental elements to an effective compliance program: | ||
| + | 1. Written policies and procedures for compliance | ||
| + | 2. A designated compliance officer and committee | ||
| + | 3. Effective training and education for employees | ||
| + | 4. Effective lines of communication | ||
| + | 5. Internal monitoring and auditing procedures | ||
| + | 6. Enforcement of standards through disciplinary guidelines | ||
| + | 7. Prompt responses to detected problems and implementation of corrective action (2) | ||
| + | |||
| + | |||
| + | ==Administrative Safeguards== | ||
| + | The Privacy Rule requires covered entities to perform administrative tasks to protect privacy of health information. Scalable confidentiality and security procedures, designated security officer, sanctions for violations, and signed statement by all employees regarding confidentiality of data (1). | ||
| + | |||
| + | ==Technical Safeguards== | ||
| + | Unique ID and password system stores password encrypted, weak passwords not allowed, automatic time logoff, system enforced password changes, firewall, and virus checking. Sharing of passwords between physicians and office managers is not allowed. Computers left open to the internet can leave medical records exposed to outsiders. Games on computers can crash the network and may contain viruses that damage network data. Passwords should give employees the level of information they need for their job. | ||
| + | |||
| + | ==Protecting Electronic Data== | ||
| + | Confidential information stored on a portable electronic device such as a laptop, USB drive, CD, DVD or PDA should be encrypted to ensure data cannot be retrieved by an unauthorized person if lost or stolen. | ||
| + | |||
| + | ==Recycling== | ||
| + | Placing protected information in an unsecured garbage can (including blue recycle cans) is not an acceptable method of disposal for documents that contain private information. Such information should be secured until shredded or properly destroyed. | ||
| + | |||
| + | ==Summary== | ||
| + | Healthcare providers in all settings implement compliance programs to protect patient privacy and to ensure ethical business practices. This is necessary due to the increased severity of penalties established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Balanced Budget Act of 1997 (public law 105-33). By ensuring ethical business practices through compliance programs, healthcare providers reduce their risk of criminal and civil litigation in regards to privacy and security.(3) | ||
| + | |||
| + | References | ||
| + | |||
| + | 1.Hartley, C. & Jones, E. (2004) HIPAA Plain and Simple, a compliance guide for healthcare professionals. AMA Press, Chicago, IL | ||
| + | |||
| + | 2.Healthcare compliance-an introductory guide for employees. Johnson and Johnson. Retrieved from: http://www.shareholder.com/Shared/DynamicDoc/jnj/1293/6210%20Overview%20Guide_WEB_single_pg.pdf | ||
| + | |||
| + | 3.AHIMA (2011). Healthcare compliance. Retrieved from: http://www.ahima.org/resources/compliance.aspx | ||
| + | |||
| + | Submitted by Sherry Dexheimer | ||
| + | |||
| + | [[Category:BMI512-SUM-11]] | ||
Revision as of 14:57, 14 October 2011
Protected health information (PHI) is individually identifiable health information.
Contents
Introduction
Protected health information is demographic data that relates to individual’s physical or mental health, provision of health care, payment for the provision of health care, and common identifiers (e.g., name, address, phone numbers, birth date, Social Security Number). All protected health information must comply with Health Insurance Portability and Accountability Act (HIPAA) standards.
Common locations of protected health information
PHI is found in many locations in the electronic medical record. Data can be found in medical records, billing records, insurance/benefit enrollment and payment, claims payment, and case management records.
Protected Health Records
Security and privacy go hand in hand. Security is about controlling access to electronic Personal Health Information; privacy is about controlling how electronic, oral, and written Personal Health Information is used and disclosed. Covered entities need to make it a top priority to establish and implement policies and procedures to protect patient information (1).
Compliance
Organizations compliance guidelines, like law and industry codes reflect and are intended to serve patients by safeguarding medical information, enabling us to advance patient care while protecting patient privacy.
Fundamental elements to an effective compliance program: 1. Written policies and procedures for compliance 2. A designated compliance officer and committee 3. Effective training and education for employees 4. Effective lines of communication 5. Internal monitoring and auditing procedures 6. Enforcement of standards through disciplinary guidelines 7. Prompt responses to detected problems and implementation of corrective action (2)
Administrative Safeguards
The Privacy Rule requires covered entities to perform administrative tasks to protect privacy of health information. Scalable confidentiality and security procedures, designated security officer, sanctions for violations, and signed statement by all employees regarding confidentiality of data (1).
Technical Safeguards
Unique ID and password system stores password encrypted, weak passwords not allowed, automatic time logoff, system enforced password changes, firewall, and virus checking. Sharing of passwords between physicians and office managers is not allowed. Computers left open to the internet can leave medical records exposed to outsiders. Games on computers can crash the network and may contain viruses that damage network data. Passwords should give employees the level of information they need for their job.
Protecting Electronic Data
Confidential information stored on a portable electronic device such as a laptop, USB drive, CD, DVD or PDA should be encrypted to ensure data cannot be retrieved by an unauthorized person if lost or stolen.
Recycling
Placing protected information in an unsecured garbage can (including blue recycle cans) is not an acceptable method of disposal for documents that contain private information. Such information should be secured until shredded or properly destroyed.
Summary
Healthcare providers in all settings implement compliance programs to protect patient privacy and to ensure ethical business practices. This is necessary due to the increased severity of penalties established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Balanced Budget Act of 1997 (public law 105-33). By ensuring ethical business practices through compliance programs, healthcare providers reduce their risk of criminal and civil litigation in regards to privacy and security.(3)
References
1.Hartley, C. & Jones, E. (2004) HIPAA Plain and Simple, a compliance guide for healthcare professionals. AMA Press, Chicago, IL
2.Healthcare compliance-an introductory guide for employees. Johnson and Johnson. Retrieved from: http://www.shareholder.com/Shared/DynamicDoc/jnj/1293/6210%20Overview%20Guide_WEB_single_pg.pdf
3.AHIMA (2011). Healthcare compliance. Retrieved from: http://www.ahima.org/resources/compliance.aspx
Submitted by Sherry Dexheimer
