Chapter 5 Flashcards
HIPAA
passed in 1996
intent to reduce the administrative costs of healthcare
Administrative Simplification Section of Title II
section of HIPAA that required the development of standardized transaction standards for content and transmission of the data, requirements for a single NPI number for all health care providers, as well as the Privacy and Security rules to protect the health information
Privacy Rule
effective April 15, 2003
2 essential approaches
1. assigns rights to individual patients to provide them with some control over their own health information
2. provides standards for the ways that health care providers, health plans and health clearing houses are permitted to access, use and disclose information
Security Rule
effective April 20, 2005
Preemption
-HIPAA statute has a preemption clause and is often termed a “floor” in that it provides a national standard for the protection of health information that can be pre-empted by state laws in certain limited respects
-necessary to understand state laws and how they may preempt the federal HIPAA regulation in your state
Health Information Technology for Economic and Clinical Health Act (HITECH)
-passed in February 2009
-designed to promote the widespread adoption and standardization of electronic health records
-includes notification requirements for breaches of unsecured information, increases the potential civil monetary penalties for violations of HIPAA, and strengthens certain privacy rights
Genetic Information Nondiscrimination Act (GINA)
-effective March 23, 2013
-Became known as the Omnibus Rule
-Made several modifications to the privacy practices that covered entities must implement
What does HIPAA Govern and Who must comply with these regulations?
HIPAA governs the use and disclosure or Protected health information by “covered entities” directly and their business associates indirectly
Covered Entity
health care providers that transmit any health information in electronic form, a health plan with more than 50 participants, and a health care clearinghouse that receives, processes, and transmits health information for payment purposes
Protected health information (PHI)
individually identifiable health information that is created, collected and stored by a covered entity and maintained in electronic or any other form
3 elements to determine if information is PHI
-health information that describes the past, present, or future health, condition, care, treatment, of an individual, or payment for such care or treatment
-information must reasonably identify the individual
-the information must be maintained in electronic or any other form
all three elements are required for the information to be PHI
De-identified Information
- approximately 18 identifying characteristics depending upon how they are categorized
-the presence of 1 does not mean the information is PHI
-All 18 identifiers must be removed for health information to be considered de-identified
Patient privacy rights
an overriding theme to the privacy regulations is to place control over health information squarely in the hands of the individual who is the subject of the information
Individual Rights under the Privacy Rule
-to access and obtain a copy of their PHI
-Right to amend their PHI
-Obtain an accounting or listing of disclosures of their PHI
-Right to receive a Notice of Privacy Practices
-to have communications about their PHI conducted in a confidential manner
-to restrict disclosure on certain uses and disclosures of their PHI
-to fine a complaint about a covered entity’s privacy practices to the covered entity as well as to the Office of Civil Rights (OCR)
Notice of Privacy Practices
Covered entity is bound by the notice
Covered entity is required to make a good faith effort to obtain an acknowledgement from the individual
If the first episode of care was via telephone, the covered entity must mail its notice to the individual within 24 hours
Access to health information
-individuals cannot necessarily have access to everything in the record
Ways a Covered entity can restrict an individuals access to their PHI
-psychotherapy notes
-info a covered entity compiled to prepare for actual or anticipated litigation
-PHI that the covered entity is prohibited from sharing pursuant to the Clinical Laboratory Improvements Amendments (CLIA) 1988
-Correctional institution if it would put the security of the individual, another inmate, or the institution at risk
-if obtained during a research study and the individual agreed to the restricted access in the authorization signed at the beginning of the study
Reasons a covered entity can deny an individual access to PHI
-sharing the information would put the individual or another person in danger
-the information was obtained from someone other than another health care provider and sharing the information would be reasonably likely to put that person at risk for substantial harm
-the request for access is by a personal representative and sharing the information would be reasonable likely to put the subject of the information or another person at substantial risk of harm
*if denied the covered entity is required to provide a method for the individual to appeal the denial. Another licensed health care professional must review the decision and the covered entity must abide by the decision of the reviewing official
Amending PHI
-have the right to request a covered entity to amend inaccurate or incomplete information
-original info documented in the medical record should not be altered in such a way as to completely eliminate the information
-not always required to amend the record
1. if entity determines the record is accurate and complete
2. or info was generated by another covered entity
3. Trying to amend info that he or she is not entitled to access
4. That info is not part of the designated record set
3 requirements to not disclose health information to a health plan
- Individual request that the info not be provided to the health plan
- Individual or family member has paid out of pocket for the service in full
- The health plan would normally obtain the info for payment or health care operations
Communication of PHI
If an individual makes a reasonable request to have PHI communicated in a specific manor, a health care provider is required to accommodate the request.
E.g can only call a specific number and leave a message
Accounting request of disclosures
HIPAA gives an individual the right to know who was received his or her PHI. If there is a request the covered entity must be prepared to provide the list of all disclosures it has made.
Reasons an accounting of disclosures is not required
-treatment, payment or healthcare operations
-an incidental disclosure
-made in a limited data set
-made with an authorization from the individual
-made for national security purposes
-disclosure prior to the enforcement date of the privacy regulation, April 14,2003
-disclosure to the subject of the information
-disclosure that only required giving the individual an opportunity to object
-disclosure to a correctional institution or other law enforcement official having custody of the individual for purposes of providing appropriate care to the individual
What’s included in the accounting of disclosure
-who
-date made
-brief description of information
-purpose of disclosure
May request an accounting that covers up to a six-year period
Office of Civil Rights
OCR
A department of Health and Human Services
Complaints about a covered entities privacy practices can be filed here
Three subcategories where PHI can be used or disclosed
- Uses and disclosures the covered entity is required or permitted to make without an individuals explicit permission
- Permitted uses and disclosures if the covered entity has given the individual an opportunity to object to the disclosure
- Uses and disclosures only with the individuals explicit permission