HIPAA- Health insurance portability and accountability act PDF/PPT

Save (0)






HIPAA- Health insurance portability and
accountability act
• HIPAA is a United States legislation that provides data privacy

and security provisions for safeguarding medical information.

• The law has emerged into greater prominence in recent years
with the proliferation of health data breaches caused by cyber
attacks on health insurers and providers.

• This law was enforced by US president Bill clinton who signed
the act in 21st August 1996.

• The act has been divided into 5 section or titles.



History of HIPAA
 HIPAA was enacted by congress in 1966 in response to several

issues facing health care coverage, privacy, security, and fraud
in the united states.

 The privacy rule was the first aspect of HIPAA to be finalized
in 1999. Next came the transaction and code sets final rule. In
2000, followed by the security rule and the national provider
identifier, or unique identifiers, rule. The enforcement rule
specification was of 2006, the last part of HIPAA to be finalized
in detail.


• There are five titles or section :-








• Title I protects health insurance coverage for individuals who
lose or change jobs.

• It also prohibits group health plans from denying coverage to
individuals with specific diseases and pre-existing conditions,
and from setting lifetime coverage limits..



• Title II of HIPAA establishes policies and procedures for maintaining the
privacy and the security of individually identifiable health information,
outlines numerous offenses relating to health care, and establishes civil and
criminal penalties for violations.

• It also creates several programs to control fraud and abuse within the
health-care system. This is a title centring around the healthcare area, this is
what most people refer to HIPAA compliance.

The following are the provision under this title:-

 Health care entities or health care providers are required to have a unique 10

 HIPAA PRIVACY RULE, this rules establishes rules and standards for
protection of individually identifiable health information.

 HIPAA ENFORCEMENT RULE, this establish guideline for
investigations whenever HIPPA compliance is violated.


 A National Provider Identifier or NPI is a unique 10-digit

identification number issued to health care providers in the
United States by the Centers for Medicare and Medicaid
Services (CMS).

 The NPI has replaced the unique physician identification
number (UPIN) as the required identifier for Medicare services,
and is used by other payers, including commercial healthcare

 All individual HIPAA covered healthcare providers or
organizations must obtain an NPI for use in all HIPAA standard


 Enforcement rule

 On February 16, 2006, HHS (health and human resources)
issued the Final Rule regarding HIPAA enforcement. It became
effective on March 16, 2006.

 The Enforcement Rule sets civil money penalties for violating
HIPAA rules and establishes procedures for investigations and
hearings for HIPAA violations.

 Privacy rule

 The Privacy Rule gives individuals the right to request a
covered entity to correct any inaccurate PHI.

 Also, it requires covered entities to take some reasonable steps
on ensuring the confidentiality of communications with

 For example, an individual can ask to be called at his or her
work number instead of home or cell phone numbers.


 Transactions and Code Sets Standard
Healthcare organizations must follow a standardized mechanism

for electronic data interchange (EDI) in order to submit and
process insurance claims.


 Protected Health Information [PHI] – is information that is

created or received by a covered entity that:

 Relates to the past, present, or future physical or mental health
of an individual.

 Identifies the individual or contains reasonable information that
can be used to identify the individual(s).



Protected information

Social security number
Family history
Telephone number
Fax number
Account number
Medical record number
E-mail address
Dates (birthday, admission, discharge)
Certificate/license numbers
Vehicle ID
Personal assets


 Device identifier

 Biometric( finger or voice print)

 Photographs

 Any unique identifying number, code or characteristics.


 Security rule
 Set national standards for the security of the electronic

protected health information(e-PHI) that is sent from one
location to another.

 Security rule’s main goal is to protect the privacy of
individual’s health information while allowing covered entities
to adopt new technologies to improve the quality of patient

 Designed to be flexible so covered entity can implement
policies, procedures, and technologies that are appropriate for
the entity’s particular size and organizational structure.



 The security rule requires covered entities to maintain reasonable and
appropriate administrative, technical, and physical safeguards for
protecting e-PHI.

 Specifically, covered entities must:

 Ensure the confidentiality, integrity, and availability of all e-PHI they
create ,receive, maintain or transmit.

 Identify and protect against reasonably anticipated threat to the
security or integrity of the information.

 Protect against reasonably anticipated, impermissible, uses or

 Ensure compliance by their workforce.


• Title III: Tax-related health provisions governing medical savings

• Title III standardizes the amount that may be saved per person in a
pre-tax medical savings account.

• Beginning in 1997, medical savings account are available to
employees covered under an employer-sponsored high deductible
plan of a small employer and self-employed individuals.

• Title IV: Application and enforcement of group health insurance

• Title IV specifies conditions for group health plans regarding coverage
of persons with pre-existing conditions, and modifies continuation of
coverage requirements.


• Title V: Revenue Offsets

• Title V includes provisions on company-owned life insurance and the
treatment of those who lose their U.S. citizenship for income tax


Covered entities under the HIPAA act

The covered entities are the individual which are required to be HIPAA
complaint that is they need to implement HIPAA rules and regulations.

These entities include-

 Health plans or insurance companies

 Health care clearing houses

 Health care providers(hospitals, pharmacies, doctors, physician,
nurses, pharmaceutical industries)

 Research involving human volunteers


Role of HIPAA in clinical investigation
• Clinical investigations or clinical trials are investigation in human

subjects which are systematic investigation to evaluate the safety
profile or efficacy profile of human drugs.

• This is the investigation phase or research phase involving human
subjects or volunteers.

• Where there is involvement of human volunteers or subjects, there is
involvement of health information or identifiable health information,
hence need for privacy rule.


Requirement for HIPAA compliance of a
covered entity
Should adopt privacy procedures and implement them.

Training of employees and make them understand about privacy

Designate a privacy offer.

Inform the patient and individuals about privacy rights and when and
how their information will be used.

Protection of patient medical records.


Patient right under HIPAA

 Right to be noticed and informed regarding the use of their protected
health information by health care entities and to whom and why their
information would be disclosed.

 Right to deny access to information and medical records.

 Right to authorization.

 Right to allow timely access of records and information for a
resonable fee.


AUTHORIZATION: Patient right under
Authorization under the privacy rule of HIPAA is an individual’s signed
permission which allows the use or disclosure of protected health
information by a covered entity only for the reason mentioned in the

A patient giving a signed authorization means the individual is allowing
or permitting covered to use or disclose their health information.

A covered entity can only use protected health information when given


Can information be used without patient
The covered entities are also permitted to use PHI without authorization

 The use of PHI involves not more than a minimal risk to the privacy
of individual.

 Adequate measures or plans are taken to protect the identifiers from
improper use and disclosure.

 Required by law.

 The research cannot be conducted without the access and the use of


Adverse event report
The privacy rule permit PHI be disclosed for the reporting of adverse
event when or only:-

 Allowed by the patient or individual authorization.

 Required by law.

 It is permitted by law for public health activities.


How can HIPAA be violated??

It can be violated by two ways:-

A)Incidental disclosure

• It is an incidental or unintentional disclosure of PHI. This type of
disclosure cannot be prevented by nature.


A visitor may overhear a conversation between a physician and a
patient which is Confidential.


• It is an intentional or impermissible use or disclosure of PHI under the
privacy rule of HIPAA.



A)Civil Penalties under HIPAA:

• Fine of 25,000$ (maximum)

B)Criminal Penalties under HIPAA:

• Imprisonment up to 10 years in jail and/or 25,000 fine (in case of
serious offences)



• PHARMACOVIGILANCE is the science and activities which
involve the detection , assessment, understanding and prevention of
adverse effects or any other drug or drug related problem .

• Pharmacovigilance is involved in the detection of adverse effects
during the clinical trials and post marketing phases.

• It is involved in collection of records pertaining to adverse effects or
adverse drug reactions, analyzes, assess and evaluates them and to
promote safe use of drugs.


Objectives of pharmacovigilance

• ✓ To improve patient care & safety.

• ✓ To contribute to assessment of benefit, harm & effectiveness of

• ✓ To Identify previously unrecognized adverse effects of the drugs.

• ✓ To Promote rational & safe use of medicine.

• ✓ To Promote education & clinical training.

• ✓ To Identify patient related risk factors of ADR such as dose, age,

• ✓ Any response to a drug which is unintended , occurs at particular

• ✓ To diagnose or therapy of disease, or for the modification, of
physiological function.



To bring a drug from a laboratory as a new chemical entity to the market
as a successful drug takes several years of hard work.

• The entire process from the time of discovering and developing the
drug involves four stages-

A) Drug discovery

B) Drug development

C) Regulatory review and approval

D) Marketing


Clinical trial
• Clinical investigations or clinical trials are investigations in human

subjects or volunteers to evaluate the safety profile and efficacy profile
of human drugs.


• There are five distinct phases of a clinical trial cycle of a drug, these are as

• Phase 0) This phase is also known as micro dosing phase. In this phase micro
dose of the drug is administered in healthy human volunteers to understand the
preliminary pharmacokinetic data of the drug, that:-

1) whether the drug is hitting the target or not
2) if therapeutic response or action is observed as claimed

• Phase 1)The pharmacological and metabolic actions of the medication are
evaluated in healthy human volunteers. The trials are unblinded , controlled
and involve not more than 100 volunteers (small group) and usually not last
more than a month.

• Phase 2) These trials further investigate the efficacy, dose response and
tolerance of the drug. The trials involve a larger group (200-300) with the
targeted disease. The inclusion and exclusion criteria are well defined.


Phase 3)

• This is the phase before the drug gets introduced in the market.
Usually the studies are done over a larger group (several
hundreds to several thousands) with the targeted disease.

• The drug’s safety and efficacy are evaluated and confirmed and
hence this phase is also known as the confirmatory phase.

• In phase 2-3, the adverse effects or event observed are noted,
recorded and assessed by the pharmacovigilance team.


After the completion of phase 3 clinical trials, if the drug is found
to be effective and safe, marketing authorization is granted by
the regulatory body and the drug is introduced in the market.

• The pharmaceutical company may still conduct phase 4 clinical
trials to continue to monitor the drug on a much larger scale, less
controlled real world environment.



Phase 4)
• this phase is called as the post marketing surveillance. This is

where pharmacovigilance and its role becomes important.
• Throughout this phase any problem related to the drug is

reported and assessed.
• These may include adverse effects or adverse events or any

problems related to the drug.


The importance of pharmacovigilance in phase 4
clinical trials

• The pre- clinical studies or animals studies are not often considered as
a good predictor for human effects.

• Certain effects or reactions or ADRs may be observed during the later
phases of the clinical trials that is phase 4 of the drug as the drug is
exposed to millions of people and a less controlled real world

• And hence these drug related problems need to be detected, reported
and assessed.

• This will help to avoid any future problems related to the drug.


• It will help to assess the risk- benefit ratio and will lead to safe

and rationale use of the drug.

• For the first two years after the drug is introduced in the market,
the pharmaceutical company with the marketing authorization is
required to collect and report safety data of the drug after every 6

• After two years annual safety data reporting is done.


What is reported ?
• It is important to report serious unexpected side effects.

• All suspected adverse reactions.

• Every problem related to the use of the drug.

• Any ADR which occurs during the course of the use of the drug or
overdose or miscues or abuse/ unappropriate use

• Even if no ADR is observed, it still has to be reported.


Reporting of safety data:-
• The safety data of the drugs should be reported by: _

• Physicians

• Pharmacists

• Pharmaceutical companies

• Pharmacovigilance and regulatory manager


• https://searchhealthit.techtarget.com/definition/HIPAA
• https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Ac

• www.rroij.com/open-access/pharmacovigilance-for-drug-safety-