PHI is any information that applies to a health condition now, in the past, or in the future
If health information includes data that would let somebody identify the patient, it is classified as PHI (18 elements total):
Minimum Necessary Information
The minimum necessary information is the least information you need to do your job.
Access only the information you need
Only use the information to do your job
Limit the information you share with a person to only what he or she needs to know to do their job
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
As compliance analyst we focus on the following rules
HIPAA Privacy Rule –The use and disclosure of the PHI. Applies to only covered entities. Focuses on all format of PHI ( paper, verbal and electronic). Privacy rules are issued by HHS
HIPAA Security Rule – Protects the privacy of electronic protected health information (e-PHI).Ensures the CIA of the e-PHI. It is focused on more on the electronic format of the PHI.
The HIPAA requirement flow : Security Rule/Security Safeguard/Standard/Section/Require or Addressable
A covered entity or business associate must comply with a required implementation specification must. For example, all covered entities and business associates including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.
For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will:
Implement the addressable implementation specification as stated;
Implement an equivalent alternative measure that allows the entity to comply with the standard; or,
Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.