- Gambling Odds For Dummies
- Nfl Odds For Dummies
- Odds For Dummies
- Explaining Odds Ratio For Dummies
- Betting Odds 4 5
Why was HIPAA Created?
American odds work a little differently to the others. The odds for a favorite team to win the game are usually listed with a '-' sign, which indicates the amount a better would need to bet to win $100. For the underdogs, the odds are accompanied by a '+' sign. This shows how much a better would win if they staked $100. Let's see this in action. The odds show you how much you stand to win as well as the chances of success of the bet. So, in the case of 1/4, you’ll receive €1 for every €4 you bet. This bet is hardly worth making, even though you are highly likely of winning it. This is why understanding the odds is very important. To compute your $2 win price, take the odds of your horse and multiply the first number by 2, divide that by the second number, and then add $2 — simple as that!
The HIPAA for Dummies guide aims to explain all aspects of HIPAA, including its origins. The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and to address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
Although responsible for widespread changes in the healthcare and healthcare insurance industries, the changes did not occur overnight. When the Act was passed in 1996, it only required the Secretary of Health and Human Services (HSS) to propose standards that would protect individually identifiable health information. The first set of proposed “Code Set” standards was not published until 1999, and the first proposals for the Privacy Rule only emerged in 2000.
HIPAA legislation has evolved significantly since its earliest incarnation. Not only has the language of the Act been modified to address advances in technology, but the scope of the Act has been extended to cover Business Associates – third party service providers that perform a function on behalf of a HIPAA-Covered Entity that involves the use or disclosure of Protected Health Information (PHI).
The HIPAA regulations are policed by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). State Attorneys General can also take action against Covered Entities and Business Associates found not to be in compliance with HIPAA. Both OCR and State Attorneys General have the authority to impose financial penalties on Covered Entities and Business Associates for violations of HIPAA.
What is the Purpose of HIPAA?
In addition to the original purpose of HIPAA, the way in which it is implemented is constantly changing to accommodate advances in technology and changes to working practices – both of which have resulted in new threats to patient privacy and the security of PHI. For example, the original HIPAA legislation was drafted eight years before Facebook came into existence and eleven years before the first iPhone was released.
Therefore, since the original Privacy Rule, there have been a number of new HIPAA Rules (expanded on in the “HIPAA Explained” section below) plus frequent guidance has been issued by OCR regarding how Covered Entities and Business Associates should address issues such as BYOD policies, cloud computing and Workplace Wellness Programs. OCR guidance has also gone digital with the release of the Listserv application.
Much of the original language of HIPAA has remained unaltered because, despite the changing technological landscape, it was written to cover a great number of diverse scenarios. Therefore, whether a Covered Entity is a medical center maintaining patient records or an insurance company transferring the healthcare rights of an individual who is changing jobs, the purpose of HIPAA remains the same as it did in 1996.
HIPAA is also technology-neutral and does not favor one way of addressing a security vulnerability over another, provided the mechanism introduced to correct a flaw or vulnerability is subjected to a risk assessment and the reason for implementing it in place of a specified measure is recorded. It is also important to note that HIPAA does not preempt state law, except in circumstances when a state’s privacy and security regulations are weaker than those in HIPAA.
Understanding HIPAA for Dummies
For the benefit of clarification, we have detailed below the eighteen personal identifiers that could allow a person to be identified. In the context of HIPAA for Dummies, when these personal identifiers are combined with health data the information is known as “Protected Health Information” or “PHI”. When stored or communicated electronically, the acronym “PHI” is preceded by an “e” – i.e. “ePHI”.
Names or part of names | Any other unique identifying characteristic |
Geographical identifiers | Dates directly related to a person |
Phone number details | Fax number details |
Details of Email addresses | Social Security details |
Medical record numbers | Health insurance beneficiary numbers |
Account details | Certificate or license numbers |
Vehicle license plate details | Device identifiers and serial numbers |
Website URLs | IP address details |
Fingerprints, retinal and voice prints | Complete face or any comparable photographic images |
The main takeaway for HIPAA compliance is that any company or individual that comes into contact with PHI must enact and enforce appropriate policies, procedures and safeguards to protect data. HIPAA violations occur when there has been a failure to enact and enforce appropriate policies, procedures and safeguards, even when PHI has not been disclosed to or accessed by an unauthorized individual.
Violations of HIPAA often result from the following:
- Lack of adequate risk analyses.
- Lack of comprehensive employee training.
- Inadequate Business Associate Agreements.
- Inappropriate disclosures of PHI.
- Ignorance of the minimum necessary rule.
- Failure to report breaches within the prescribed timeframe.
Some HIPAA violations are accidental offences – for example, leaving a document containing PHI on a desk in clear view of anyone passing by. However, OCR does not consider ignorance an adequate excuse for HIPAA violations; and, although OCR may refrain from imposing a significant financial penalty on a Covered Entity for an accidental offence if the violation has not resulted in the unauthorized disclosure of PHI, it is likely that a course of “corrective action” will be required.
Who does HIPAA apply to?
Before trying to explain the ins and outs of HIPAA it is best to state when the legislation applies. Practically all health plans, healthcare clearinghouses, healthcare providers and endorsed sponsors of the Medicare prescription drug discount card are considered to be “HIPAA Covered Entities” (CEs) under the Act. Normally, these are entities that come into contact with PHI on a constant basis.
Under the definition of HIPAA Covered Entities provided by HHS, most employers are not considered to be CEs, even if they maintain records of employees’ health information. If employers use schemes such as the Employee Assistance Program (EAP), they are then considered “hybrid entities” and are required to be HIPAA-compliant.
Video Training
Engaging Content
Perfect Refresher
Flexible/Convenient
Self-paced Learning
Free
HIPAA
Training
Full Access to
Entire Course
“Business Associates” (BA) are also covered by HIPAA. These are entities who do not create, receive, manage or transmit PHI in the course of their main operations, but who supply services and perform certain functions for Covered Entities, during which they have access to PHI. Before undertaking a service or activity on behalf of a CE, a BA must complete a Business Associate Agreement guaranteeing to maintain the integrity of any PHI to which it has access, implement safeguards to protect the information, and restrict uses and disclosures of the information.
HIPAA Rules Explained
HIPAA legislation is essentially comprised of a number of rules, each of which lays out different requirements for HIPAA compliance. The rules are as follows:
HIPAA Privacy Rule: The Privacy Rule dictates how, when and under what circumstances PHI can be used and disclosed. Enacted for the first time in 2003, it applies to all healthcare organizations, clearinghouses and entities that provide health plans. Since 2013, it has been extended to include Business Associates.
The Privacy Rule sets limits regarding the use of patient information when no prior authorization has been given by the patient. Additionally, it mandates patients and their representatives have the right to obtain a copy of their health records and request corrections to errors. CEs have a 30-day deadline to respond to such requests.
HIPAA Security Rule: The Security Rule sets the minimum standards to safeguard ePHI. Anybody within a CE or BA who can access, create, alter or transfer ePHI must follow these standards. Technical safeguards include encryption to NIST standards if the data goes outside the company’s firewall.
Physical safeguards may relate to the layout of workstations (e.g. screens cannot be seen from a public area), whereas administrative safeguards unite the Privacy Rule and the Security Rule. They require a Security Officer and Privacy Officer to conduct regular risk assessments and audits. These assessments aim to identify any ways in which the integrity of PHI is threatened and build a risk management policy off the back of this.
Breach Notification Rule: The Department of Health and Human Services must be notified if a data breach has been discovered. This must be within 60 days of the breach’s discovery for incidents involving 500 or more individuals, and within 60 days of the end of the calendar year in which the breach was experienced for breaches of fewer than 500 records. Individuals whose personal information has been compromised must also be informed within 60 days, and if more than five hundred patients are affected in a particular jurisdiction, a media notice must be issued to a prominent news outlet serving that area.
Omnibus Rule: The Omnibus Rule activated HIPAA-related changes that had been part of the HITECH Act. These included the extension of HIPAA coverage to BAs, the prohibition of using PHI for marketing or fundraising purposes without authorization and new penalty tiers for violations of HIPAA. Part of those penalties can be retained by OCR to fund more stringent investigations of data breaches and complaints of noncompliance.
Enforcement Rule: Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out. Once the level of negligence has been determined, appropriate fines can be issued. For example, if it is determined that the violation was due to ignorance, a fine of up to $50,000 can be levied against the negligent party per violation with an annual maximum of $25,000 for violations of an identical provision. If the violation was because of willful neglect and was not rectified within 30 days, a fine of $50,000 per offence is possible up to an annual maximum of $1,500,000 for violations of an identical provision.
Since the Final Omnibus Rule was introduced in 2013, new guidelines have been released on how PHI must be accessed and sent in a medical-related environment. The revised Act allocates patients further rights to know and manage how their health information is used.
HIPAA-covered entities and Business Associates must put in place mechanisms to limit the flow of information inside a private network, monitor activity on the network and take steps to stop the unauthorized disclosure of PHI beyond the network’s boundaries. More attention must be invested in conducting risk assessments, and new reporting procedures have been implemented to cover data breaches.
Changes to the HIPAA Security Rule list the conditions (“safeguards”) that must be in place for HIPAA-compliant storage and the communication of ePHI. These “safeguards” are referred to in the HIPAA Security Rule as either “required” or “addressable”. In fact, all the security measures are generally required – irrespective of how they are listed – as the following section explains.
The Required and Addressable Security Measures of HIPAA Explained
One area of HIPAA that has resulted in some confusion is the difference between “required” and “addressable” security measures. Practically every safeguard of HIPAA is “required” unless there is a justifiable rationale not to implement the safeguard, or an appropriate alternative to the safeguard is put in place that achieves the same objective and provides an equivalent level of protection.
An instance in which the implementation of an addressable safeguard might be not required is the encryption of email. Emails containing ePHI – either in the body or as an attachment – only have to be encrypted if they are shared beyond a firewalled, internal server. If a healthcare group only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted outside the protection of the firewall – there is no need to adopt this addressable safeguard.
The decision not to use email encryption will have to be backed up by a risk assessment and must be documented in writing. Other factors that may have to be considered are the organization’s risk mitigation strategy and other security measures put in place to secure the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of PHI at rest and in transit is recommended.
Gambling Odds For Dummies
HIPAA Encryption Requirements
HIPAA-covered entities are required to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI. Arguably one of the most important safeguards is encryption, especially on portable devices such as laptop computers that are frequently taken off site.
Encryption renders ePHI unreadable and undecipherable. The data can only be read if a key or code is applied to decrypt the data. If a portable device containing encrypted ePHI is stolen, and the code or key to decrypt the data is not also obtained, the data cannot be viewed.
While HIPAA was deliberately technology-agnostic, data encryption is mentioned in the HIPAA Security Rule, but it is only an addressable specification. HIPAA-covered entities must consider using encryption, but it is not mandatory for ePHI to be encrypted at rest or in transit.
HIPAA-covered entities should conduct a risk analysis and determine which safeguards are the most appropriate given the level of risk and their workflow.
If the decision is taken not to use encryption, an alternative safeguard can be used in its place, provided it is reasonable and appropriate and provides an equivalent level of protection. If encryption is not used, the decision not to encrypt must be documented along with the reasons why encryption was not used and the alternative safeguards that were used in its place.
If the decision is taken to encrypt data, HIPAA-covered entities should use an appropriate encryption standard. The National Institute of Standards and Technology (NIST) recommends Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME – although these standards may change.
HIPAA Password Requirements
HIPAA is vague when it comes to specific technologies and controls that should be applied to secure ePHI and systems that store health information, and this is certainly true for passwords.
Even though passwords are one of the most basic safeguards to prevent unauthorized accessing of data and accounts, there is little mention of passwords in HIPAA. The only HIPAA password requirements that are specified are that HIPAA-covered entities and their business associates must implement “Procedures for creating, changing, and safeguarding passwords.”
Even though password requirements are not detailed in HIPAA, HIPAA covered entities should develop policies covering the creation of passwords and base those policies on current best practices. It is strongly recommended that healthcare organizations follow the advice of NIST when creating password policies.
Video Training
Engaging Content
Perfect Refresher
Flexible/Convenient
Self-paced Learning
Free
HIPAA
Training
Full Access to
Entire Course
While NIST has previously recommended the use of complex passwords, its advice on passwords has recently been revised. Highly complex passwords may be ‘more secure’ but they are difficult to remember. As a result, employees often write their passwords down. To avoid this, passwords should be difficult to guess but also memorable. The use of long passphrases rather than passwords is now recommended.
Generally, passwords should:
- Be a minimum of 8 characters up to 64 characters, with passphrases – memorized secrets – longer than standard passwords recommended.
- NIST advises against storing password hints as these could be accessed by unauthorized individuals and be used to guess passwords.
- A password policy should be implemented to prevent commonly used weak passwords from being set, such as ‘password’, ‘12345678’, ‘letmein’ etc.
- NIST now recommends not forcing users to change their passwords frequently. A change should only be required infrequently or is there is very good reason for doing so – such as following a security breach.
- Multi-factor authentication should be implemented.
- NIST recommends salting and hashing stored passwords using a one-way key derivation function.
HIPAA Record Retention Requirements
There are no HIPAA record retention requirements as far as medical records are concerned but medical record retention requirements are covered by state laws. Data retention policies must therefore be developed accordingly.
For instance, a hospital in the state of South Carolina must retain medical records for 11 years after the discharge date, while in Florida medical records must be retained by physicians for five years after the last patient contact and hospitals must retain medical records for seven years after the discharge date.
When medical records are retained, they must be kept secure at all times. HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI from the date of creation of ePHI to its secure disposal.
While there is not a minimum HIPAA medical record retention period, HIPAA does require covered entities to retain HIPAA-related documents. CFR §164.316(b)(2)(i) states that HIPAA-related documents must be retained for a period of six years from the date that the document was created. For policies, it is six years from when the policy was last in effect.
Insurance companies may be subject to FINRA laws which cover the retention of certain records. The Fair Labor Standards Act and the Employee Retirement Income Security Act also require certain records to be retained and the Centers for Medicare & Medicaid Services (CMS) requires healthcare providers to retain cost reports for five years after the closure of the cost report, while Medicare managed care program providers are required to retain records for ten years.
HIPAA Violation Reporting Requirements
The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires notifications to be issued after a breach of unsecured protected health information.
A breach is defined as a use or disclosure of protected health information not permitted by the HIPAA Privacy Rule that compromises the security or privacy of protected health information. Notifications are not required if a HIPAA-covered entity or business associate can demonstrate there is a low probability that PHI has been compromised, with that determination made through a risk analysis.
If notifications are required, they must be issued to patients/health plan members ‘without unnecessary delay’ and no later than 60 days after the discovery of a breach. A media notice must also be issued if the breach impacts more than 500 individuals, again within 60 days. The notice should be provided to a prominent media outlet in the state or jurisdiction where the breach victims are located.
The individual and media notices should include a brief description of the security breach, the types of information exposed, a brief description of what is being done by the breached entity to mitigate harm and prevent future breaches, and the steps that can be taken by breach victims to reduce the potential for harm.
The HHS’ Secretary must also be notified within 60 days of the discovery of a breach if the breach impacts 500 or more individuals, and within 60 days of the end of the calendar year in which the breach was experienced if the breach impacts fewer than 500 individuals.
A copy of the breach notices should be retained along with documentation showing that notifications were issued. If a security breach did not warrant the issuing of notifications, documentation must be retained detailing the risk assessment that established there was a low probability that PHI was compromised.
Most Common HIPAA Violations
A HIPAA violation is the failure to comply with any of the provisions of HIPAA Rules. While there are many potential areas where HIPAA Rules can be violated, ten of the most common HIPAA violations are detailed below. These violations have been discovered by OCR during investigations of data breaches and complaints filed by employees, patients, and plan members through the OCR complaints portal.
Risk Analysis Failures
One of the most common HIPAA violations discovered by OCR is the failure to perform a comprehensive, organization-wide risk analysis. HIPAA requires covered entities and their business associates to conduct regular risk analyses to identify vulnerabilities to the confidentiality, integrity, and availability of PHI.
Risk Management Failures
All risks identified during the risk analysis must be subjected to a HIPAA-compliant risk management process and reduced to a reasonable and appropriate level. Risk management is critical to the security of ePHI and PHI and is a fundamental requirement of the HIPAA Security Rule.
Lack of Encryption or Alternative Safeguards
While HIPAA does not demand the use of encryption, encryption is an addressable implementation specification and must be considered. The failure to use encryption or an alternative equivalent safeguard to ensure the confidentiality, integrity, and availability of ePHI has resulted in many healthcare data breaches.
Security Awareness Training Failures
HIPAA requires covered entities and business associates to implement a security awareness training program for all members of the workforce, including management. Training should be provided regularly and the frequency should be determined by means of a risk analysis.
Improper Disposal of PHI
When PHI or ePHI is no longer required it must be disposed of securely in a manner that ensures PHI is “unreadable, indecipherable, and otherwise cannot be reconstructed.” Paper records should be shredded, burnt, pulped, or pulverized, while electronic media should be cleared, purged, degaussed, or destroyed.
Impermissible Disclosures of PHI
An impermissible disclosure of PHI is a disclosure not permitted under the HIPAA Privacy Rule. This includes providing PHI to a third party without first obtaining consent from a patient and ‘disclosures’ when unencrypted portable electronic devices containing ePHI are stolen.
Failure to Adhere to the Minimum Necessary Standard
Covered entities must take steps to limit access to PHI to the minimum necessary information to achieve the intended purpose.
Failure to Provide Patients with Copies of PHI on Request
The Privacy Rule permits patients to access PHI and obtain copies of their protected health information on request. Requests for copies of PHI must be dealt with promptly and copies provided within 30 days of the request being received.
Failure to Enter into A Business Associate Agreement
Healthcare organizations may require individuals or entities to provide services that require access to PHI. Prior to any disclosure of PHI, the entity that performs those functions must enter into a business associate agreement (BAA) with the covered entity. The BAA outlines the business associate’s responsibilities to safeguard PHI, explains the permissible uses and disclosures of PHI, and other requirements of HIPAA.
Failure to Issue Breach Notifications Promptly
In the event of a data breach, notifications must be issued to affected individuals to alert them to the exposure of their PHI. Breach notifications must be issued without unreasonable delay and no later than 60 days from the date of discovery of the breach.
HIPAA Implications for Patients
The HIPAA implications for patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare suppliers. Electronically stored health information is now better secured than paper records ever were, and healthcare groups that have put in place mechanisms to adhere with HIPAA regulations are witnessing greater efficiency. This results – as far as patients are concerned – in a higher standard of healthcare.
On the negative side, healthcare groups are not only concerned with the standard of healthcare they can give to individual patients. Healthcare groups want to increase the services they can supply, want to enhance the quality of care and improve patient safety through research. Regrettably, research is limited by HIPAA, and restricted access to PHI has the potential to slow the pace at which improvements can be made in healthcare.
There is also a price to pay for better data security, and although the enactment of the Meaningful Use program gave financial incentives for healthcare providers to digitalize paper records, adapting the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance may reduce the level of patient care, while the administrative strain that HIPAA-compliance places of healthcare organizations furthers exhausts available resources.
Explaining HIPAA to Patients
Healthcare organizations are now required by law to give patients a notice of their privacy practices and get patients to sign to confirm receipt of the document. A good practice to adopt is to put all relevant information in the Notice of Privacy Practices and then give patients a summary of what the policy contains. For instance, explain to the patient:
- They may request their medical records whenever they like.
- They may request you amend their medical records to correct errors.
- They can limit who has access to their personal health information.
- They can choose how you communicate with them.
- They have right to complain about the unauthorized disclosure of their PHI and suspected HIPAA violations.
Healthcare Organizations and the Implications of HIPAA
If data privacy and security is not adequately managed, the Office for Civil Rights can issue fines for non-compliance. Avoidable data breaches could see considerable financial penalties applied. Under the penalty structure brought in by HITECH Act, violations can lead to fines up to $50,000 per violation up to a maximum of $1.5 million per year, for violations of an identical provision. Lawsuits can also be initiated by state attorneys general and fines of up to $250,000 per violation category are possible. Covered entities and Business Associates may also be sued by victims of data breaches.
CEs and BAs – and their employees – who breach HIPAA for personal gain or under false pretenses can be held criminally liable and have criminal penalties imposed by the Office for Civil Rights, via the Department of Justice, which can include a fine of up to $250,000, restitution, and up to ten years’ imprisonment with a further two years for aggravated identity theft.
The high odds of healthcare organizations becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach notification correspondence, offering credit monitoring services and covering regulatory fines, and legal costs – is far higher than the cost of achieving full compliance. But, while the initial investment in the necessary technical, physical and administrative security measures to secure patient data may be high, the improvements can lead to savings over time as a result of improved efficiency.
Organizations that have already implemented mechanisms to adhere with HIPAA often see their workflows streamlined and the workforce can become more productive, allowing healthcare organizations to reinvest their savings and provide a higher standard of healthcare to patients.
Explaining HIPAA to Staff
Explaining HIPAA to staff members of CEs and BAs requires far more work than explaining HIPAA to patients. In order to adhere with HIPAA, organizations must compile privacy and security policies for their employees, and develop a sanctions policy for staff members who do not comply with HIPAA requirements. Therefore it is important to explain HIPAA to workers HIPAA in greater detail.
The best method of explaining HIPAA to employees is in special compliance training tutorials. Although the HIPAA regulations require training to be provided annually, we feel there is so much for employees to take in relating to the security and privacy of personal health information, that compliance training sessions are better short and frequent. Trying to explain HIPAA to employees in a four-hour training session will likely fail.
A lot of the explanation will concentrate on the privacy and security of PHI, but how this is adopted will likely have an effect on the employees themselves. For instance, employees should be prevented from exchanging information about patient healthcare via their mobile device unless appropriate controls have been implemented. Due to the number of healthcare centers adopting BYOD policies, this will mean workers may have to download safe communication apps to their personal mobile devices in order to communicate ePHI.
HIPAA Summary for Dummies
In a way, HIPAA was quite forward-thinking. Although Congress had been passing privacy laws since the 1970s, HIPAA addressed the digitalization of medical records and stipulated the safeguards HIPAA-covered entities should apply in order to protect healthcare data in both paper and digital formats. The digitalization of medical records was later encouraged via amendments in the HITECH Act to bring HIPAA up to date.
Compliance with HIPAA is an ongoing exercise. There is no one-off compliance test or certification one can achieve that will absolve a Covered Entity from sanctions if an avoidable breach or violation of HIPAA subsequently occurs. Indeed, OCR has issued a statement advising Covered Entities and Business Associates that it does not endorse any private consultants’ or education providers’ seminars, materials or systems, nor does it certify any persons or products as “HIPAA compliant.”
Video Training
Engaging Content
Perfect Refresher
Flexible/Convenient
Self-paced Learning
Free
HIPAA
Training
Full Access to
Entire Course
Nfl Odds For Dummies
If you are unsure about any element of HIPAA, it is recommended you seek professional advice. It has already been mentioned above that ignorance of HIPAA is not an adequate excuse for noncompliance, and there does not necessarily need to have been an unauthorized disclosure of PHI in order for a violation of HIPAA to warrant sanctions. Therefore, although the resources required to achieve HIPAA compliance may be considerable, there is no alternative if your organization collects, processes, stores or disposes of PHI or ePHI that to become compliant with HIPAA.
Additional Articles about HIPAA Compliance
You may find the following articles useful:
HIPAA for Dummies FAQs
Are all disclosures of PHI without patient consent breaches of HIPAA?
Odds For Dummies
Allowable disclosures of PHI include sharing PHI with the data subject (i.e. the patient), and when PHI is shared for treatment, payment, and health care operation activities. Exceptions to the disclosure rule also exist when a patient is incapacitated, when it is in the public interest for PHI to be disclosed, or when an unintended disclosure is “incident” to an allowable disclosure – i.e. if a patient´s age is disclosed when discussing his or her treatment options.
With regards to the HIPAA record retention requirements, is it okay to store records in the cloud?
HIPAA does not distinguish between retaining records in the cloud or on-premises; and in many circumstances it makes sense to take advantage of cloud services to reduce capital expenses in the IT department. However, before storing records in the cloud, it is necessary to sign a Business Associate Agreement with the Cloud Service Provider and have a full understanding of what areas of data security you are responsible for under the Provider´s “shared responsibility model”.
How do I know if I need to sign a Business Associate Agreement with a third party?
If a third party handles, uses, distributes, or accesses PHI during the provision of a services or the performance of a function or activity on behalf of a Covered Entity, they likely qualify as a Business Associate under HIPAA and it would be necessary to sign a Business Associate Agreement with them. It is also necessary to sign a Business Associate Agreement with any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate.
Why did it take seven years from the passage of HIPAA for the Privacy Rule to be enacted?
When HIPAA was passed in 1996, one of its clauses stated the Department for Health and Human Services (HHS) would only be responsible for developing privacy regulations if Congress did not enact privacy legislation within three years. HHS released its proposed HIPPA Privacy Rule in 1999; but, due to the volume of public comments (more than 52,000), the Final Rule was not published until 2002 with an effective date of April 2003.
Can a Covered Entity be held liable for a breach of HIPAA if an employee discloses PHI without authorization in their self-interest?
In certain circumstances – for example when the unauthorized disclosure is incidental to the employee´s normal duties – a Covered Entity can be held liable for a breach of HIPAA. The HHS´ Office of Civil Rights will take into account the efforts the Covered Entity has made to prevent unauthorized disclosures when calculating what penalties to impose; however, if the individual whose PHI has been illegally disclosed brings a civil action against the Covered Entity, a court may not take the same view.
How to Read Sports Odds and Betting Lines
I’ve titled this Sports Betting For Dummies. It’s a tutorial for those who want to start betting on sports or those who want to gain a better understanding of some of the terminology and theory behind it. We’ve all been in the position of learning something new, so please don’t be embarrassed if you don’t grasp these concepts. Instead, contact me via the form at the bottom of this page, and I’ll help you in any way I can.
You want to put a few coins on this weekend’s games, or perhaps you just want to be able to decode all of that jibberish you see in the sports section every week. How do you read those sports odds, and what does over/under, minus/plus, giving points, taking points mean?
WHAT DOES IT ALL MEAN?
I will painlessly explain all of the mysteries of sports betting 101 aka “Sports Betting for Dummies.” First of all, you have nothing to be ashamed of, you have taken the first and most important step of all – learning! Why waste money on a game that you don’t fully understand? You shouldn’t! That is why you are here now, to learn how it works and how to win!
Topic #1 The Point Spread and Totals
Okay, you look at the games for Sunday and you see the betting lines displayed something similar to;
San Francisco -5 vs. St. Louis 41
You may look at that and be intimidated and feel helpless, but I’m going to decode this little bugger for you. This is the betting line – not the odds. The odds are what you are to be paid (covered later).
Whenever you see a team with a (-) negative number next to them, (-5 in this case), it means that team is favored to win by that number of points.
The number after the matchup (41) is the projected total points to be scored by both teams added together. There are two options here. A player can choose to bet on the matchup, either San Fran -5 points or St. Louis +5 points.
For the player who wagers on San Francisco -5, San Fran must win by more than 5 points for this to be a winning bet. For the player who wagers on St. Louis +5, they must either win the game or lose by less than 5 points for this to be a winning bet. If the outcome falls on the number, the bet is declared a “Push” and your original stake amount gets refunded.
See, that wasn’t too difficult, was it?
Sometimes you will see the points displayed as half numbers like San Fran -5.5. If you bet on San Fran, and they win by 6, you win the bet. If they win by 5 or less, you lose. Clear? If not, submit your question in the form at the bottom of the page and ask me. I’m here to help.
Okay, so the other betting option available to you is the total or ‘Over/Under.’ You can choose to bet that the total points between the two teams will either be greater (OVER) or less than (UNDER) the projected total. Again, if you bet either way and the game ends up being 20-21, for a total of 41 points, then you will receive a refund of your wager amount.
Topic # 2 The Moneyline or Straight-Up wager
This is where you simply wager on which team will win the game outright, no point spreads, no BS…just the straight up winner. Although this may appear to be easier, you will pay for it as the odds (payout) will reflect the lack of a point spread. If you wager on a favorite, then you will win less than with a point spread, but if you wager on the underdog…and win…you will receive and even greater win amount based on the higher risk taken.
Topic # 3 How to Read Sports Betting Odds
Okay, so you have made your selection, now what? How much do I bet, and how much will I win? Standard questions, and great questions for new sports bettors to ask! There are three ways that you will typically see odds displayed, as a fraction 2/1 (or 2 to 1), as a decimal 2.00, or “American Style Betting Odds” +100.
For reading the fraction odds, I strongly recommend converting them to a decimal. This will make figuring out your potential win much much easier! To do this, just like in 2nd grade, you take the first number and divide it by the second. So if your odds read 7/4, you simply divide (7) by (4), which equals 1.75. That is the decimal form odds, now you simply multiply (1.75) by whatever your wager amount is to figure out your potential profit. In this case, if you were to risk $100, then your potential win would be $175 profit if you are correct! Also, you will receive your initial bet amount of $100 as well, for a total of $275 in your hand.
Now for American Style Sports Odds. Typically, when you are betting on the point spread, as in topic #1 above, the odds are displayed or implied to be (-110), which is known as American Style odds. The American Style odds format is based on $100. When the number, is displayed as a negative number (-110), it indicates how much money you must risk to realize a profit of $100. In our scenario, you must wager $110 to win $100 profit. If you do, you will receive $210 when you cash in…the winning amount PLUS your initial wager amount.
Explaining Odds Ratio For Dummies
When you see the number displayed as a positive number such as (+150), it indicates how much money you will profit if you RISK $100. So, if you wager $100 on a team that pays (+150), and you win, you will receive $250. That is the $150 that you won, plus your $100 original stake returned.
Topic #4 Now What?
Now that you have the basics down, there is only one thing left to discuss – where to bet that is safe. I strongly recommend that you start by wagering on only one pick per day. You don’t want to spread yourself too thin and have your hand in every match available. If you bet that way, you will surely get nickel and dimed out of your bankroll. Spend time studying the teams and choose your best selection available. Decide on a budget of how much you are willing to risk. Now you need a reputable online sportsbook (online sports betting site) to do business.
There are millions of sites out there, but only a handful that will treat you right. I deal with a few main sites in my personal online sports betting,Bovada, BetOnline, and MyBookie.
Check these sites out and see which one fits you best. Maybe you will take advantage of the bonuses at those sites and then decide which one you want to continue to use. I prefer to use multiple sites, so I have a selection of lines to choose from to get the best available payout! Whether you want to bet $1 or $500, any of these sites will work just fine for you and pay you quickly when you win. If you want more details and options, just go to the sportsbook reviews and ratings page.
I hope that I have answered some of the nagging questions about sports betting and how it works. Feel free to use the form below to contact me directly with any question you may have. I’m here to help you understand and win! Good luck!
Betting Odds 4 5
Also, be sure to check out my free sports picks!