HIPAA Privacy Rule – Flashcards

Unlock all answers in this set

Unlock answers
question
Federal agencies
answer
Those entitities to whom the Federal Privacy Act of 1974 applied
question
Covered Entity
answer
health plans, healthcare clearinghouse and healthcare providers who electronically transmit information under standards of operation established by HHS
question
HIPAA
answer
Health Insurance Portability and Accountability Act created to improve continuity of health insurance coverage and the administration of health care services
question
HIPAA's Privacy Rule
answer
Protects patients information so it is available to those who need to see it, while protecting that information from those who should not
question
Covered entities
answer
Organizations that access the personal health information of patients. They include health care providers, health plans, and health care clearinghouses.
question
Health care provider
answer
Any professional who provides health care services
question
Workforce
answer
As defined in the HIPAA law, includes everyone involved with a covered entity whether or not they are full time and whether or not they get paid. an employee within a Covered Entitity any member of a service contracted with a facility that does not make use of PHI, ex. laundry, cleaning services, etc.
question
Individually identifiable health information (IIHI)
answer
Health care data that can be connected to a specific person
question
Protected health information (PHI)
answer
Any identifiable patient health information regardless of the form in which it is stored
question
Use
answer
As defined by HIPAA, the sharing of information between people working in the same health care facility for the purpose of caring for a patient means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information
question
Disclosure
answer
As defined by HIPAA, the sharing of information between health care professionals working in separate entities, or facilities, in the course of caring for a patient
question
Incidental use and disclosure
answer
The accidental release of PHI during the course of proper patient care
question
Minimum necessary
answer
Reveal only the smallest amount of information required to accomplish the task and no more when using any PHI, a covered entity must generally make reasonable efforts to limit itself to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
question
Privacy notice
answer
A covered entity's written policies and procedures for protecting its patients PHI
question
portability
answer
protects and guarantees health insurance coverage when an employee changes jobs
question
accountability
answer
protects health data integrity, confidentiality, and availability
question
privacy
answer
the right of an individual to keep his/her individual health information from being disclosed
question
disclose
answer
release or divulgence of information by an entity to persons or organizations outside of that entity
question
authorization
answer
the mechanism for obtaining consent form a patient for the use and disclosure of health information for a purpose that is not treatment, payment, or healthcare operations required to disclose PHI to person or agency outside the facility
question
PHI (protected health information)
answer
all individually identifiable health information and other information on treatment and care that is transmitted or maintained in any form or medium
question
not PHI
answer
PHI or not PHI -education records -health information in your personnel record -workman's comp records -psychotherapy notes
question
PHI
answer
PHI or not PHI -account numbers -device identifiers and serial numbers -medical record numbers -health plan beneficiary numbers -clinical test results -medication prescription -counseling session start/stop times
question
note of privacy practices
answer
purpose: to provide consumers with adequate notice of uses or disclosures of PHI -must be written in plain language; must be provided at the time of first service or assessment for eligibility; has to provide privacy officer contact information
question
60
answer
requests for access to PHI by consumers must be responded to by the facility within __ days
question
6 years; april 14, 2003
answer
accounting of disclosures: -time frame: ______ -clock starts: ____________
question
security
answer
how we protect PHI from accidental or intentional disclosure, alteration, destruction, or loss
question
building/physical; computer/electronic
answer
what are the 2 types of security in HIPAA
question
$25,000
answer
civil penalties for failure to comply -fine per year for multiple violations -fine cap per year per requirement
question
$50,000; 1 year prison
answer
criminal penalties for failure to comply -knowingly or wrongfully disclosing or receiving PHI
question
$100,000; 5 years prison
answer
criminal penalties for failure to comply -commit offense under false pretenses
question
$250,000; 10 years prison
answer
criminal penalties for failure to comply -intent to sell PHI or client lists for personal gain or malicious harm
question
What is HIPAA?
answer
Health Insurance Portability and Accountability Act 1. HIPAA makes it illegal for information to be released to inappropriate parties 2. Intended to make it easier for patients to move from one insurance plan to another 3. Establishes a standard format for health care organizations to share medical information
question
Patient Rights
answer
1. HIPAA requires that patients be made aware of their rights and how to protect their information 2. Health care providers are required to post notices for patients telling them how their health care information is used
question
Protected H Info
answer
PROTECTED HEALTH INFORMATION 1. PHI includes information about a person's physical health, mental health, provided care and payment for that care 2. All PHI is considered confidential under HIPAA such as: Name Address Social Security Number Birth Date Names of Relatives
question
Who is authorized to see information?
answer
1. Access is based on a Need-to-know basis 2. Not all members that contribute to the quality of care need to see patient information 3. Interns never record information they may hear about the patient if it pertains to their medical condition; doing so may be a HIPAA violation
question
How is Patient Information Used?
answer
1. Billing Departments Use the information to bill patients and insurance companies 2. Quality Control Personnel Review the information for the purpose of monitoring patient care 3. Caregivers Use information to determine the care treatments patients will receive 4. Other uses are not allowed!!!!
question
Violations and Consequences
answer
HIPAA Violations 1. Fines and civil penalties can be filed against any individual that negligently discloses or knowingly & willfully obtains, discloses or uses medical information 2. Fines can be brought against an institution for failing to prevent/report unauthorized access, use or disclosure of medical information HIPAA Consequences Civil Penalties: Range from $100 per violation to annual maximum of $1.5 million for repeated violations. Amount of penalty is based on reasonable cause for HIPAA violation, willful neglect and corrective steps taken Criminal Penalties: Consists of a fine up to $250,000 as well as a prison sentence of up to 10 years
question
Patient Identification
answer
1. Patient's Nurse 2. Patient's chart 3. White Board 4. Wrist Band 5. Open-ended question NOTE: USE AT LEAST TWO PATIENT IDENTIFIERS
question
Business Associate
answer
a person or business who, on behalf of the Covered Entitiy utilizes and/or discloses protected health information
question
HIPAA Administrative Simplification
answer
process implemented to standardize the electronic transmission of health data.
question
healthcare operations
answer
process of reviewing information in medical records for those patients admitted within specific time frame after discharge
question
facility directory
answer
example of a disclosure that the patient has the right to agree or object
question
Hybrid entity
answer
a facility that performs both covered and non-covered functions under the HIPAA privacy rule. ex. University Medical Clinic
question
Notice of Privacy Practices required elements
answer
effective date of the notice description of grievance process list of individual rights per HIPAA privacy rule
question
HIPAA Privacy Rule
answer
Violation of this rule included failure to provide patients with a Notice of Privacy Practices.
question
HIPAA consent
answer
Patient's agreement to use or disclosure for TPO purposes
question
minimum necessary requirement
answer
rule that does not require the consent of the patient to transfer records to a facility for follow up care.
question
What title of HIPAA is most relevant to HIT?
answer
Title II, which contains info on 1) Preventing Health Care Fraud and Abuse, 2) Medical Liability Reform, and 3) Administration Simplification.
question
What is administration simplification?
answer
HIPAA's attempt to streamline and standardize the healthcare industry's nonuniform and seemingly chaotic business practices, such as billing.
question
Does HIPAA preempt state laws?
answer
No, it only serves as a federal floor or minimum on privacy requirements - stricter state laws still prevail.
question
What is ARRA and when was it signed into law?
answer
American Recovery and Reinvestment Act (2009)
question
How was ARRA important?
answer
It included significant funding for HIT, provided important changes for the HIPAA Privacy Rule/implemented the HITECH Act (Health Information Technology for Economic and Clinical Health Act)
question
What are some major issues HITECH deals with in regards to Privacy?
answer
Business associate agreements, minimum necessary requirements, individual rights, breach notification, personal health record vendors, marketing/fundraising/sale of information, and increased enforcement and penalties for noncompliance.
question
What are the 2 key goals of the Privacy Rule?
answer
1) Provide and individual with greater rights with respect to his or her health information, and 2) Provide greater protections for one's health information.
question
What is PHI?
answer
Protected Health Information - individually identifiable health information that is transmitted by electronic media, maintained in any electronic medium, or maintained in any other form or medium.
question
What does individually identifiable mean?
answer
The information must either identify the person or provide a reasonable basis to believe the person could be identified from the information.
question
What are examples of covered entities?
answer
Healthcare providers, health plans, and healthcare clearinghouses.
question
What are business associates?
answer
A person or organization, other than a member of a covered entity's workforce, that performs functions or activities on behalf of or to a covered entity that involves the use or disclosure of PHI (i.e. consultants, billing companies, transcription companies, accounting firms, and law firms).
question
What is the designated record set?
answer
The health records, billing records, and various claims records that are used to make decisions about an individual.
question
What are the 3 types of situations in which PHI is handled?
answer
1) Use - internal to a covered entity or its business associate, 2) Disclosure - the dissemination of PHI from a CE or its BA, 3) Requests - those made by a CE or its BA.
question
What is the minimum necessary standard and who does it apply to?
answer
A rule that applies to individuals who work for an organization (providers and other CEs) that they must limit the use, disclosure, and requests of PHI to only the amount needed to accomplish the intended purpose (excludes TPO).
question
What is TPO?
answer
Treatment, Payment, and Operations (the exceptions to the release of PHI).
question
When does the privacy rule apply to CEs?
answer
When they are directly or indirectly involved with transmitting or performing any electronic transactions specified in the act (i.e. in regards to health claims, insurance coverage, etc.).
question
What is an business associate agreement?
answer
The written contract that BAs of CEs must assign to agree to abide by the covered entity's requirements to protect the information's security and confidentiality.
question
What are workforce members?
answer
Employees, volunteers, student interns, trainees, and on-site contractors/vendors whom the covered entity is responsible for their actions.
question
How can a CE properly ensure the de-identification of information?
answer
1) Strip it of all identifying information (name, SSN, locations, dates, etc.), or 2) Have an expert apply scientific and scientific principles to minimize the identification risk.
question
What individual rights does the HIPAA Privacy Rule provide?
answer
Right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations.
question
What are valid grounds for denying access to to personal PHI?
answer
Without opportunity to appeal, any records that are: psychotherapy notes, compiled for legal proceedings, subject to CLIA, about an inmate and could cause harm, subject of research to which denial of access has been agreed, subject to Privacy Act, or obtained from someone in confidence. With opportunity to review: any records where a licensed professional determines access may endanger life or safety, or there is reference to another person and access could cause harm.
question
How long does a CE have to provide requested information?
answer
30 days and up to 30 days more if written notice is given as to way and expected date of availability (60 days if the info is stored off-site).
question
How long does a CE have to respond to a request for amendment to information?
answer
60 days and up to 30 more if given a written notice as to why/ETA.
question
What actions must be taken if the amendment is granted?
answer
The amendment must be linked to the original entry, and the amendment must be sent to whomever the patient requests.
question
What information must be given to the patient is their request for amendment is denied?
answer
The basis for denial, their right to submit a statement disagreeing with the denial (and how to submit this), that the request for amendment and denial will accompany any new requests for information, and a contact person who they can complain to.
question
What amount of time must covered entities retain an accounting of disclosures?
answer
3 years
question
What information does not need to be accounted for in the accounting of disclosures?
answer
TPO information (if the provider does not have an EHR), disclosure to the patient themselves, any disclosure incidental to another proper disclosure, any for the facility directory, any for national security, for law enforcement officials, or part of a limited data set.
question
What information must be included in the accounting of disclosures?
answer
Date, name and address of requestee, and brief statement of the purpose of disclosure.
question
How long does a CE have to produce an accounting of disclosures?
answer
60 days and an extension of 30 days if notification is given to the patient
question
What act allows patients to request restrictions of PHI (for TPO purposes) and in what circumstances?
answer
ARRA unless a patient pays completely out of pocket and the CE entity agrees (not required to do so).
question
What are the 3 key documents of the Privacy Rule?
answer
Notice of Privacy Practices (required), authorization (required), and consent (optional).
question
What is the notice of privacy practices?
answer
A notice explaining how an individual's PHI will be used or disclosed, along with their rights, and the CE's legal duties.
question
What are some elements that must be included in the NPP?
answer
Standard header, description of how information will be used for TPO and for other purposes,statement that other disclosures will only be made with the patients consent, statement of the individual's rights, how to make complaints and the contact person to do so, and effective date.
question
What are consents for?
answer
To obtain (optional) consent from patients for TPO purposes before treatment is given.
question
What must a valid authorization form contain?
answer
Description of the info being disclosed, people authorized to request the data, who can make the disclosure of data, expiration date, statement of the right to revoke authorization, statement that info is subject to redisclosure, signature/date, and a representatives right to sign (if applicable)
question
What type of documentation always requires authorization for use/disclosure (except for TPO)?
answer
Psychotherapy notes
question
When is the use or disclosure of PHI required, even without patient authorization?
answer
1) When the patient or their representative requests access or accounting of disclosures (with exceptions), 2) When HHS is conducting an investigation, review, or enforcement action.
question
What are the permitted uses and disclosures of PHI without written patient consent, but where the patient has the right to object?
answer
1) Patient directory, and 2) Notification to relatives and friends.
question
What are the permitted uses and disclosures of PHI without written patient consent where the patient cannot choose to object?
answer
1) Public interest and benefit (12 situations), 2) TPO purposes, 3) To the individual, 4) Incidental disclosures, and 5) Use in limited data sets.
question
What are the 12 public interest and benefit situations where PHI may be disclosed without patient consent? (First 6)
answer
1) As required by law, 2) For public health activities, 3) To disclose PHI regarding victims of abuse, neglect, and domestic violence, 4) For health oversight activities, 5) For judicial and administrative proceedings, 6) For law enforcement purposes (6 situations),
question
What are the 12 public interest and benefit situations where PHI may be disclosed without patient consent? (last 6)
answer
7) Regarding decedents (i.e. to coroner or ME), 8) For cadaver organ, eye, or tissue donation, 9) For research (with limitations), 10) To prevent or lessen serious threat to health or safety, 11) For essential government functions, 12) For workers comp.
question
What are the 6 situations where PHI can be disclosed without authorization for law enforcement purposes?
answer
1) Pursuant to legal process or otherwise required by law, 2) In response to request for identifying/locating a suspect, fugitive, material witness, or missing person, 3) In response to an official request about someone who is, or suspected to be a victim of a crime, 4) About a deceased person that may have happened from criminal conduct, 5) When it is believed in good faith that criminal conduct occurred on the CE's premises, and 6) In response to a medical emergency.
question
Who is subject to breach regulations under ARRA? Under the FTC?
answer
ARRA - HIPAA covered entities and business associates FTC - noncovered entities and non-BAs (i.e. PHR vendors)
question
What is a breach?
answer
An unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.
question
What type of information does a breach not include?
answer
Disclosures to unauthorized persons if they would not reasonably be able to retain the info, or unintentional access by an employee or BA if it was in good faith/within the scope of employment. It must also pose a "risk of harm" (financial or reputation). Does not apply if the information is encrypted, only if it is unsecured PHI.
question
How long does a CE have to inform an individual that their PHI has been breached?
answer
As quickly as possible and within 60 days is there is "imminent misuse."
question
How many breaches justify a web posting or use of media to inform the public?
answer
9
question
When must the secretary of HHS be contacted along with a media outlet to provide breach notification?
answer
When 500+ people are affected
question
What information must be included to an individual for a breach notification?
answer
Description of what occurred (the date and date it was discovered), the types of PHI involved, steps the individual may take to protect themselves, what the entity is doing to prevent/rectify the situation, and contact info for any questions.
question
How does the privacy rule define marketing?
answer
Communication about a product or service that encourages the recipient to purchase or use that product or service.
question
What marketing activities do not require authorization?
answer
Ones that occur face-to-face with the CE or they concern a promotional gift of nominal value to the patient.
question
What does not qualify as marketing, and therefore requires no authorization?
answer
Communications to describe health-related products and services, communication for treatment of the individual, and case management or care coordination for the individual.
question
What are exceptions when a CE can make "paid" communications with the patient?
answer
When it is in regards to a prescribed drug where the payment was "reasonable" or it is from a BA on behalf of the CE. If payment was accepted it must always be prominently stated and have the option to opt out.
question
When is a CE allowed to market a certain group of individuals?
answer
When it may be beneficial to them, it is explained why they are being targeted, and how the service relates to them.
question
When are information related to fundraising activities okay to use?
answer
When it is disclosed to a BA or institutionally related foundation, only the demographic information and dates of healthcare are provided, they are given the chance to opt out, and they were notified of the use in the NPP.
question
What are the administrative requirements of the HIPAA Privacy Rule?
answer
1) A Privacy Officer and contact person for receiving complaints be designated, 2) All workforce members are given privacy training (with documentation showing such), 3) There are safeguards and mechanisms in place to safeguard information (administrative, technical, and physical safeguards), 4) There are written policies and procedures (and ongoing review of such) that comply with all standards and specifications.
question
Who may be penalized for HIPAA/Privacy Rule violations?
answer
CEs, BAs, and employees of these
question
How are penalty amounts set up?
answer
They are tiered according to intent and extent of violation: Unknowing violations < Violations due to a reasonable cause < Willful Neglect < Uncorrected Violations
Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New