Health Laws Flashcards
Health Information Portability & Accountability Act of 1996
privacy rule- disclosure- PEACES
- patient
- emergency
- authorization
- court
- enforcement (law)
- secretary of HHS
must be in limited data set form
must be at
- time of delivery for healthcare providers
- time of enrollment/request for healthcare insurance
HIPAA
privacy rule- right to access
must receive within 30 days of request to access
covered entity must give access to any PHI
business associate must give access to what is necessary for covered entity to meet obligations
HIPAA
privacy rule- other rights
- amend
- can deny request to amend but must give reason and allow individual to include disclosure statement - accounting
- keep for 6 years - privacy official
HIPAA
security rule - required security controls
- security official
- risk assessments (initial and ongoing)
- training program for workforce
HIPAA
security rule- addressable security controls
must assess how measurable (reasonable and appropriate) it is to implement security control
if reasonable and appropriate- must implement
if not- must document reasons and implement equivalent alternative
HIPAA
safe harbor
if covered entity has recognized security practice for 1yr+ then
- fines are lessened
- security audits may be terminated early
- other remedies mitigated
HIPAA
written contracts with service providers
must be put in place under HIPAA privacy rule and security rule
Health Information Technology for Economics & Clinical Health Act
data breach
if there is a data breach of unencrypted data must notify within 60 days of discovery
- affected individuals
- secretary of HHS (annually)
- media (500+)
- covered entity (if BA is source)
HITECH
breach presumption
breach is presumed unless covered entity/business associate can show there is low probability PHI compromised by analyzing
- nature and extent of PHI disclosed
- who unauthorized person is
- whether PHI was actually acquired/ viewed
- mitigation of risk
Genetic Info Nondiscrimination Act of 2008
employer restriction on GI use- I PET FMLA
can’t request use, disclosure, purchase of genetic info unless
- inadvertent
- public
- employee wellness program
- toxin monitoring
- FMLA compliance
GINA
restrictions
- no discrimination if no manifest symptoms
- insurance company can’t request genetic testing unless
- for research
- voluntary
- notify HHS secretary - no use for underwriting purposes
Confidentiality of Substance Use Disorder Patient Records Rule
who it applies to
Part 2 programs (must be federally funded)
- individual/entity (not gen med fac) that provides treatment for alcohol/substance abuse
- unit w/in gen med fac providing alcohol/substance abuse treatment
- staff of gen med fac whose primary function is such treatment
3rd parties that lawfully receive info from part 3 programs (even if privately funded)
Confidentiality of Substance Use Disorder Patient Records Rule
restrictions
- no use that can lead to criminal charges/investigation
- disposal + security procedure in place for records
- notice of rights to individual
Confidentiality of Substance Use Disorder Patient Records Rule
is there a right to amend
NO
Confidentiality of Substance Use Disorder Patient Records Rule
disclosure- QA C3REVICE
no disclosure of PI unless
Q- qualified service org
A- audit
C court order
C- child abuse/neglect report
C- crimes on program premises/personnel
R- research
E- emergency
V- VA
I- internally
C- consent (as long as patient permits but not longer than reasonably necessary for purpose)
E
