We're the ideal place for homework help. If you are looking for affordable, custom-written, high-quality and non-plagiarized papers, your student life just became easier with us. Click either of the buttons below to place your order.

Order a Similar Paper Order a Different Paper



Your assignment submission should be a maximum length of five (5) pages. It should contain proper grammar, be free of spelling errors, and reflect critical thinking.


You are the compliance officer with a hospital system.  You are responsible for training the staff on the new compliance policy you developed.  Based on the information you learned in Module 2, create a presentation for your staff discussing the marketing and sale of protected health information.  Your presentation must be concise, clear, and simple.  Use all materials available to you for your presentation.


Terms, Regulations,
and Compliance –
Time to Learn the Law
Trelisha M. Brown, Professor

Health Info Management and
Privacy; Law 689-711

Recognize the key terms under HIPAA and
understand their importance in HIM and Privacy

Key HIPAA Terms

Legal Foundation

• You can find the HIPAA Administrative Simplification
Regulations at the following cites:

• 45 CFR Part 160

• 45 CFR Part 162

• 45 CFR Part 164


• The acquisition, access use, or disclosure of protected
health information in a manner not permitted under
subpart E of this part which compromises the security or
privacy of the protected health information.
• 45 CFR 164.402

Business Associate (BA)

• A person or organization that performs a function
or activity on behalf of a covered entity but is not
part of the covered entity’s workforce. A business
associate can also be a covered entity in its own
• 45 CFR 160.103

Code Set

• Any set of codes used to encode data elements,
such as tables of terms, medical concepts,
medical diagnostic codes, or medical procedure
codes. This includes both the codes and their
• 45 CFR 162.103


• the property that data or information is not made
available or disclosed to unauthorized persons or
• 45 CFR 164.304

Covered Entity (CE)

• Any business entity that must comply with HIPAA
regulations, which includes health-care providers,
health plans and health-care clearinghouses. For
purposes of HIPAA, health-care providers include
hospitals, physicians and other caregivers.
• 45 CFR 160.103

Covered Function

• those functions of a covered entity the performance of
which makes the entity a health plan, health care provider,
or health care clearinghouse.
• 45 CFR 164.103

Data Aggregation

• The combining of such protected health information by
the business associate with the protected health
information received by the business associate in its
capacity as a business associate of another covered entity,
to permit data analyses that relate to the health care
operations of the respective covered entities.
• 45 CFR 164.501

Designated Record Set

• Any item, collection or grouping of information that
includes PHI that is maintained collected, used or
disseminated by or for a covered entity
• 45 CFR 164.501


• The use of an algorithmic process to transform data into a
form in which there is a low probability of assigning
meaning without use of a confidential process or key.
• 45 CFR 164.304

Electronic Media

• Electronic storage material on which data is or may be
recorded electronically
• 45 CFR 160.103

Electronic Protected Health Information (e-PHI)

• Individually identifiable health information transmitted by
electronic media or maintained in electronic media
• 45 CFR 160.103

Health Information

• The data related to a person’s medical history, including
symptoms, diagnoses, procedures, and outcomes

• Electronic Records

• Paper Records

• Fax Documents

• Oral Communication

• 45 CFR 160.103

Hybrid Entity

• A single legal entity: (1) That is a covered entity; (2)
Whose business activities include both covered and
noncovered functions; and (3) That designates health care
components in accordance with paragraph §
• 45 CFR 164.103

Individually Identifiable Health Information (IIHI)

• Individually identifiable health information is a subset of
health information, and as the name suggests, is health
information that can be linked to a specific person, or if it
would be reasonable to believe that an individual could
be identified from the information
• 45 CFR 160.103


• The property that data or information have not been
altered or destroyed in an unauthorized manner.
• 45 CFR 164.304

Physical Safeguards

• Physical measures, policies, and procedures to protect a
covered entity’s or business associate’s electronic
information systems and related buildings and
equipment, from natural and environmental hazards, and
unauthorized intrusion.
• 45 CFR 164.304

Protected Health Information (PHI)

• Individually identifiable health information that is
transmitted or maintained in any form or medium
(electronic, oral, or paper) by a covered entity or its
business associates, excluding certain educational and
employment records
• 45 CFR 160.103

• 45 CFR 164 Subpart E Privacy of Individually Identifiable
Health Information

Reasonable Diligence

• The business care and prudence expected from a person
seeking to satisfy a legal requirement under similar
• 45 CFR 160.401

Security Incident

• The attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or
interference with system operations in an information
• 45 CFR 164.304

Willful Neglect

• Conscious, intentional failure or reckless indifference to
the obligation to comply with the administrative
simplification provision violated.
• 45 CFR 160.401

Reasonable Cause

• An act or omission in which a covered entity or business
associate knew, or by exercising reasonable diligence
would have known, that the act or omission violated an
administrative simplification provision, but in which the
covered entity or business associate did not act with
willful neglect.
• 45 CFR 160.401

Other Terms You Will Come Across

• CPT – Current Procedural Terminology

• EDI – Electronic Data Interchange

• HITECH – Health Information Technology for Economic
and Clinical Health Act

When HIPAA preempts state law and when it

HIPAA and State Law

Which Law Controls? 45 CFR 160 Subpart B

HIPAA or State Laws?

• HIPAA – Sets the federal standards for privacy protections
• HIPAA > State = HIPAA

• Preempts State law, until it doesn’t

Exceptions to the Rule

• IS the state law more stringent than the federal law?

• State Law > Federal Law = State Law

• State Law > when the following occurs:
• Greater access to personal health information

• More limits on provider disclosure of health information

Clash of the Titans –

• HIPAA can potentially clash with state law
• Allowable use and disclosure

• Patient rights

• Deadlines for reporting breaches

Meet Chapter 181 of the Texas Health and Safety Code

• Health and Safety Code chapter 181 is more stringent
than HIPAA, its federal counterpart.

• Chapter 181 imposes the following requirements
• Training

• electronic health records access

• sales of protected health information

• notice and authorization for electronic disclosures

• Enforcement, disciplinary actions, and audits of covered entities

Expanded Definition of Covered Entities

• HIPAA: Health Care Providers who transmit electronic
PHI, Health care Clearing Houses and Health care plans
– 45 CFR 160.102

• Chapter 181: Any person who engages in the practice
of assembling, collecting, analyzing, using, evaluating,
storing, or transmitting PHI, etc. – Chapter

Who Must Follow the Privacy Rule?

• The Privacy Rule standards apply to only:
• Health plans

• Health care clearinghouses

• Health care providers who transmit any health information
electronically in connection with certain transactions

• These are called “covered entities” under HIPAA
• See 45 CFR §§ 160.102 and 164.500


Examples of HIPAA Non-covered Entities

• Many organizations that have health information about
an individual do not have to follow the Privacy Rule, like:
• life insurers

• employers

• workers’ compensation carriers

• many schools and school districts

• lawyers with client medical records

• many state agencies

• child protective service agencies

• many law enforcement agencies

• many municipal offices


Expanded Definition of Covered Entities

• In Texas, a covered entity is defined very broadly to
include anyone who:
• engages in the practice of assembling, collecting, analyzing,

using, evaluating, storing, or transmitting protected health

• comes into possession of protected health information;

• obtains or stores protected health information; or

• is an employee, agent, or contractor of a person described


Access to and use of PHI

• Written requests for electronic copies of health records
must be fulfilled within 15 days, for providers who use
electronic health records systems

• Health care providers do not have to provide access to
protected health information if it falls under 45 CFR
• Psychotherapy notes;

• Information compiled for use in a civil, criminal or admin action

• PHI of Clinical Laboratory Improvements Amendments of 1988

• The HHSC Commissioner may recommend a standard
electronic format for releases of information


Training Requirements

• Covered entities must provide training “regarding the
state and federal law concerning protected health
information as it relates to:
• “the covered entity’s particular course of business,” and

• “each employee’s scope of employment”

• Newly hired employees must receive training within 90
days of hire

• Material changes require retraining within one year

Texas Law: Individual Rights

• Within fifteen business days of the written request for
covered entity to provide patient with copy of EHR

• No charge for those applying for public benefits and
patient must receive record within 30 days
• Proof from the agency associated with the benefit is required

• Covered entities must provide notice that health
information is subject to electronic disclosure


Prohibited acts

• Covered entities are prohibited from four actions:

• Re-identifying or attempting to re-identify an

• Using PHI for marketing communications

• Selling PHI

• Electronically disclosing PHI without notice


Disciplinary action

• Covered entities violating these rules are vulnerable to:
• Injunctive relief restraints,

• Civil penalties, and

• Disciplinary action

• Disciplinary action can include:
• Revoking an agency’s license,

• Probation

• Suspension, and

• Referral to the OAG for civil penalties


Unauthorized Use of Identifying Information

• Texas Business and Commerce Code Section 521.053 –
Enacted Jan 2020

• Is more restrictive than HIPAA and requires business to:
• Provide notice to affected individuals

• Provide notice without unreasonable delay, but no later than 60
days after discovering the occurrence of a breach

• Provide notice to the Texas attorney general within the same 60
days after the discovery of a breach if the breach involves the
sensitive personal information (SPI) of 250 or more Texas

Identify those responsible for safeguarding
Protected Health Information

Who is the entrusted Guard?

The Privacy Rule

• A major goal of the Privacy Rule is to guarantee the
protection of individuals’ health information and allow
health information to flow as needed while still promoting
high-quality health care while protecting the public’s
health and well being

• The Privacy Rule protects all “individually identifiable
health information” held or transmitted by a covered
entity or its business associate, in any form or media,
whether electronic, paper, or oral


Who are the PHI Guardians?

• Covered Entities

• health plans, health care clearinghouses, and to any
health care provider who transmits health information
in electronic form

• Business Associates

• a person or entity that performs certain functions or
activities that involve the use or disclosure of PHI on
behalf of, or provides services to, a covered entity

What HIPAA Requires of Covered Entities

• Those organizations must have written policies and
procedures that are consistent with HIPAA regulations

• They must also have a specific person assigned to
ensuring that protected information is kept private and

• This person is responsible for:
• training other employees regarding the guidelines set forth by


• ensuring that all regulations are followed, and

• disciplining employees that do not comply with HIPAA


Covered Entities

• Specifically, covered entities must:
• Ensure the confidentiality, integrity, and availability of all e-PHI

they create, receive, maintain or transmit;

• Identify and protect against reasonably anticipated threats to
the security or integrity of the information;

• Protect against reasonably anticipated, impermissible uses or
disclosures; and

• Ensure compliance by their workforce.

• 45 CFR 164.306(a)

Business Associates

• The Privacy Rule requires:
• that a covered entity obtain written assurances from its

business associate that the business associate will safeguard
the PHI it receives or creates on behalf of the covered entity.

• the writing to be a contract or other agreement between the
covered entity and the business associate.

• 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)

Disclosures Requiring Authorization

• A provider must obtain authorization to:

• Give an individual’s information to their employer

• Use or share information for marketing or advertising

• Share private notes about an individual’s mental health
counseling sessions


Non-Disclosures of Protected Health Information

• What’s protected? Any information that could potentially
confirm the identity of a patient.

• Unless the patient gives express consent to share
information, the non-disclosure rule restricts the
transmission of patient information. This includes:
• Medical conditions;
• Provision of health care;
• Payments of health care

• Does not apply to releases for organ donation, medical
research, judicial proceedings, or requirements by law


Compliance with the Privacy Rule

• A covered entity may disclose PHI to facilitate treatment,
payment, or health care operations without a patient’s
express written authorization.

• Any other disclosures of PHI require the covered entity to
obtain written authorization from the individual for the

• When a covered entity discloses any PHI, it must make a
reasonable effort to disclose only the minimum necessary
information required to achieve its purpose.


Client Rights under HIPAA

• Right of access

• Amendment

• Written notice of privacy practices

• Accounting of PHI disclosures

• File a complaint

• Personal representatives and PHI

• Authorized disclosures of PHI


Mod 2 Summary

• Identify KEY / TRIGGER terms for privacy / security issues

• Recognize, who in your particular issue, is responsible for
safeguarding protected health information

• Determine what law i.e. federal or state, governs when
and apply them appropriately


Do you need academic writing help? Our quality writers are here 24/7, every day of the year, ready to support you! Instantly chat with a customer support representative in the chat on the bottom right corner, send us a WhatsApp message or click either of the buttons below to submit your paper instructions to the writing team.

Order a Similar Paper Order a Different Paper