Chapter 5 Flashcards

1
Q

HIPAA

A

passed in 1996
intent to reduce the administrative costs of healthcare

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Administrative Simplification Section of Title II

A

section of HIPAA that required the development of standardized transaction standards for content and transmission of the data, requirements for a single NPI number for all health care providers, as well as the Privacy and Security rules to protect the health information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Privacy Rule

A

effective April 15, 2003
2 essential approaches
1. assigns rights to individual patients to provide them with some control over their own health information
2. provides standards for the ways that health care providers, health plans and health clearing houses are permitted to access, use and disclose information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security Rule

A

effective April 20, 2005

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Preemption

A

-HIPAA statute has a preemption clause and is often termed a “floor” in that it provides a national standard for the protection of health information that can be pre-empted by state laws in certain limited respects
-necessary to understand state laws and how they may preempt the federal HIPAA regulation in your state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Health Information Technology for Economic and Clinical Health Act (HITECH)

A

-passed in February 2009
-designed to promote the widespread adoption and standardization of electronic health records
-includes notification requirements for breaches of unsecured information, increases the potential civil monetary penalties for violations of HIPAA, and strengthens certain privacy rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Genetic Information Nondiscrimination Act (GINA)

A

-effective March 23, 2013
-Became known as the Omnibus Rule
-Made several modifications to the privacy practices that covered entities must implement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does HIPAA Govern and Who must comply with these regulations?

A

HIPAA governs the use and disclosure or Protected health information by “covered entities” directly and their business associates indirectly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Covered Entity

A

health care providers that transmit any health information in electronic form, a health plan with more than 50 participants, and a health care clearinghouse that receives, processes, and transmits health information for payment purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Protected health information (PHI)

A

individually identifiable health information that is created, collected and stored by a covered entity and maintained in electronic or any other form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

3 elements to determine if information is PHI

A

-health information that describes the past, present, or future health, condition, care, treatment, of an individual, or payment for such care or treatment
-information must reasonably identify the individual
-the information must be maintained in electronic or any other form

all three elements are required for the information to be PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

De-identified Information

A
  • approximately 18 identifying characteristics depending upon how they are categorized
    -the presence of 1 does not mean the information is PHI
    -All 18 identifiers must be removed for health information to be considered de-identified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Patient privacy rights

A

an overriding theme to the privacy regulations is to place control over health information squarely in the hands of the individual who is the subject of the information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Individual Rights under the Privacy Rule

A

-to access and obtain a copy of their PHI
-Right to amend their PHI
-Obtain an accounting or listing of disclosures of their PHI
-Right to receive a Notice of Privacy Practices
-to have communications about their PHI conducted in a confidential manner
-to restrict disclosure on certain uses and disclosures of their PHI
-to fine a complaint about a covered entity’s privacy practices to the covered entity as well as to the Office of Civil Rights (OCR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Notice of Privacy Practices

A

Covered entity is bound by the notice
Covered entity is required to make a good faith effort to obtain an acknowledgement from the individual
If the first episode of care was via telephone, the covered entity must mail its notice to the individual within 24 hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Access to health information

A

-individuals cannot necessarily have access to everything in the record

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Ways a Covered entity can restrict an individuals access to their PHI

A

-psychotherapy notes
-info a covered entity compiled to prepare for actual or anticipated litigation
-PHI that the covered entity is prohibited from sharing pursuant to the Clinical Laboratory Improvements Amendments (CLIA) 1988
-Correctional institution if it would put the security of the individual, another inmate, or the institution at risk
-if obtained during a research study and the individual agreed to the restricted access in the authorization signed at the beginning of the study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Reasons a covered entity can deny an individual access to PHI

A

-sharing the information would put the individual or another person in danger
-the information was obtained from someone other than another health care provider and sharing the information would be reasonably likely to put that person at risk for substantial harm
-the request for access is by a personal representative and sharing the information would be reasonable likely to put the subject of the information or another person at substantial risk of harm

*if denied the covered entity is required to provide a method for the individual to appeal the denial. Another licensed health care professional must review the decision and the covered entity must abide by the decision of the reviewing official

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Amending PHI

A

-have the right to request a covered entity to amend inaccurate or incomplete information
-original info documented in the medical record should not be altered in such a way as to completely eliminate the information
-not always required to amend the record
1. if entity determines the record is accurate and complete
2. or info was generated by another covered entity
3. Trying to amend info that he or she is not entitled to access
4. That info is not part of the designated record set

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

3 requirements to not disclose health information to a health plan

A
  1. Individual request that the info not be provided to the health plan
  2. Individual or family member has paid out of pocket for the service in full
  3. The health plan would normally obtain the info for payment or health care operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Communication of PHI

A

If an individual makes a reasonable request to have PHI communicated in a specific manor, a health care provider is required to accommodate the request.
E.g can only call a specific number and leave a message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Accounting request of disclosures

A

HIPAA gives an individual the right to know who was received his or her PHI. If there is a request the covered entity must be prepared to provide the list of all disclosures it has made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Reasons an accounting of disclosures is not required

A

-treatment, payment or healthcare operations
-an incidental disclosure
-made in a limited data set
-made with an authorization from the individual
-made for national security purposes
-disclosure prior to the enforcement date of the privacy regulation, April 14,2003
-disclosure to the subject of the information
-disclosure that only required giving the individual an opportunity to object
-disclosure to a correctional institution or other law enforcement official having custody of the individual for purposes of providing appropriate care to the individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What’s included in the accounting of disclosure

A

-who
-date made
-brief description of information
-purpose of disclosure

May request an accounting that covers up to a six-year period

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Office of Civil Rights

A

OCR
A department of Health and Human Services
Complaints about a covered entities privacy practices can be filed here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Three subcategories where PHI can be used or disclosed

A
  1. Uses and disclosures the covered entity is required or permitted to make without an individuals explicit permission
  2. Permitted uses and disclosures if the covered entity has given the individual an opportunity to object to the disclosure
  3. Uses and disclosures only with the individuals explicit permission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Permitted Disclosures

A

TPO - treatment, payment, and healthcare operations
If the use or disclosure of the PHI fits into one of these three definitions, the PHI can be used or disclosed without obtaining the explicit permission from the individual

28
Q

TPO -Treatment

A

A physician can call his or her colleague in another specialty to get the colleague’s input on the care being provided

29
Q

TPO-Payment

A

A physician’s staff can submit a bill to the individual’s insurance company to obtain payent for the service provided

30
Q

TPO-Health Care Operations

A

A physician’s compliance staff can access the individual’s PHI to conduct an assessment of the physician’s coding and documentation practices

31
Q

2 instances under the privacy regulations when a covered entity is required to disclose PHI

A
  1. When the information is requested by a secretary fo the department of health and human services to investigate an allegation of a privacy violation
  2. When the subject fo the information requests it
32
Q

Disclosure in the public interest without having to obtain the individual’s explicit permission

A

-required by law
-public health activities
-reporting on victims of abuse, neglect, or domestic violence
-reporting for health oversight activities
-judicial or administrative proceedings
-law enforcement purposes
-information to coroners, medical examiners, and funeral directors about decedents
-information for organ donation
-certain research purposes
-disclosures to avert a serious threat to health or safety
-specialized governmental functions
-workers’ compensation

33
Q

When covered entities have to provide an individual an opportunity to object prior to the use or disclosure occuring

A

*First purpose - when a covered entity includes limited information about the individual in its facility directory
—information in the directory could be name, location, general condition, and religious affiliation.
*Second disclosure - a disclosure can be made to family, friends, or others involved in the individual’s care or payment for the care
*Third- can disclose PHI under the provision for purposes of assisting in disaster relief
—Such disclosures would generally be made so the location and condition of the individual could be accessible to family and friends

34
Q

Authorizations form for use and disclosures

A

Must include:
-description of PHI to be used or disclosed in a specific fashion
-who is authorized to make the use or disclosure
-who is authorized to receive the PHI
-description of purpose of each requested use or disclosure
-expiration date
-signature of the individual and date
-statement informing the individual of the right to revoke and instructions for how to revoke
-statement informing the individual that by signing is a precondition of treatment, participation in research, eligibility of benefits, or enrollment in a health plan if applicable

*if not all there the authorization is invalid and cannot rely on it to use or disclose PHI

35
Q

Fundraising

A

HIPAA privacy allows the use of limited PHI without authorization
—name, address, or other contact info, insurance status and date of care
If additional PHI is wanted an authorization would be required
HITECH requires there to be a way to opt out of receiving further fundraising requests
*The covered entity is also prohibited from conditioning treatment or payment on the individual’s choice to opt out.

36
Q

Marketing

A

The privacy rule prohibited the use of PHI for “marketing” proposes unless the patient had specifically authorized the disclosure of the info and that patient was notified by the provider that the provider was receiving direct or indirect remuneration for the disclosure of the information
* if marketing is face to face or if an item of minimal value is given to the individual, an authorization is not required
*HITECH requires a way to opt out

37
Q

Overarching principles that are equally important components of the privacy regulations

A
  1. Minimum necessary standards
  2. Verification
  3. Disclosures to business associates, and breach notification requirements
38
Q

Minimum Necessary Standards

A

-The amount of PHI that can be used or disclosed in a particular circumstance

39
Q

Circumstances when minimum necessary evaluation is not required

A

-with and authorization
-to a provider for treatment
-to the subject of the information
-to the secretary of DHHS
-as required by law
-as required to comply with the regulations

*Case-by-case basis

40
Q

Minimum necessary- role-based access

A

Means only allowing employees and others access to the information that is needed to perform their role in the organization

41
Q

Minimum necessary- need-to-know

A

Is generally and education process
E.g. physician may be granted access to entire record

*the ability to access PHI does not equate to a need to know the information

42
Q

Level of access

A

Covered entities must determine the appropriate level of access to be granted to various individuals based on their role. Next step is to educate those individuals regarding the proper uses and disclosures of the PHI to which they have been given access

43
Q

Verification

A

A way to verify that the individual is who they say they are and has a right to receive the information

*Most important is that a covered entity has a process for verification, a rationale for why the process is reasonable, and evidence that the process is consistently followed.

44
Q

Business Associate

A

A contracted external company of individual to provide services that are part of their health care operations.

E.G. accounting, legal council, coding and billing, transcription services, vendors of EHR

Under HITECH Act, BA are accountable to HHS and directly liable for criminal and civil penalties for uses and disclosures that would be a violation of the privacy rule.
The Omnibus Rule further extended the BA requirements to subcontractors of BA

45
Q

What has to happen before PHI is shared with a business associate

A

The associate must provide satisfactory assurances that it will not use or disclose PHI in a manner that contradicts the Privacy Rule Agreements
A business associate agreement must define:
1. The function of the BA and the limitations on their uses and disclosures
2. What happens to PHI upon termination of agreement

46
Q

Exceptions to what constitute a breach

A

-disclosures where there is a good faith belief that the recipient of the information would not reasonably have been able to retain the information
-certain unintentional acquisition, access or use of the information by persons or employees acting under the authority of the covered entity or business associate
-certain inadvertent disclosures among persons similarly authorized to access protected health information of a business associate or covered entity

47
Q

Presumptively reportable

A

The covered entity must report any breach of unsecured PHI unless the covered entity determines that there is a low probability of compromise of the privacy and security of the PHI

48
Q

HITECH Act and Omnibus additions for breach

A

HITECH- created an obligation on the part of covered entities an their BA to notify individuals of the breach in the event that the breach meets the standard for a reportable breach
Omnibus - modified the standard for a reportable breach to make breaches presumptively reportable if there is a violation of the Privacy regulations and the information was unsecured

49
Q

National Institute of Standards and technology (NIST)

A

HHS issued guidance regarding securing health information and specifically the technologies and methodologies that would make the PHI unusual experience, unreadable and indecipherable.
The accepted methodology is encryption that is in compliance with NIST
NIST standards address data at rest, data in motion and data in use

50
Q

Non-electronic formats

A

Methodologies include de-identifying the information, or shredding, pulping or otherwise treating the material so the information cannot be reconstructed

51
Q

Who is to be notified if there is a reportable breach

A

-the individual or their representative
-Office for Civil Rights (OCR)
-if individuals are deceased the notice must go to their next of kin

52
Q

Undeliverable notices of breach

A

-the covered entity must provide a substitute notice ASAP - email or phone
-more than 10 then the covered entity must post information about the breach in a conspicuous place on the homepage of its website along with a toll free number for individuals to obtain information about the breach

53
Q

Four factors to assess to determine low probability of compromise

A
  1. Content
  2. Person
  3. Access
  4. Mitigation
54
Q

How and when to report breaches when over 500 individuals

A

-involving over 500 individuals must be reported immediately to HHS via an online reporting system on the OCR website. The individuals violated must be notified ASAP but no later than 60 days after breach occurred
-if it is more than 500 in a singe state or jurisdiction, media outlets in the areas must be notified

55
Q

How and when to report breaches when under 500 individuals

A

The covered entity must report the breaches in an annual disclosure to HHS within 60 days of the end of the prior calendar year through the same online reporting mechanism

56
Q

The breach notice to individuals must include:

A

-a description of what happened, including the date of the breach and the date of the discovery
-description of the types of information involved in the breach
-steps individuals can take to protect themselves from harm
-description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals and protect against future breaches
-contact information for individuals to ask questions

57
Q

Who is responsible for the enforcement of the privacy rule?

A

The Office for Civil Rights (OCR)

58
Q

HITECH tiers of penalty amounts

A

-Violations in which there was an inadvertent violation and the covered entity would have taken different action if they were aware of the violation, with a penalty for each violation of a minimal of $100 up to $50,000

-Violations due to reasonable cause but not willful neglect with penalties from a minimum of $1,000 up to $50,000.

-Violations due to willful neglect but the problem was corrected - $10,000 up to $50,000

-Violations due to willful neglect and the problem has not been corrected starts at a minimum of $50,000

The calendar year cap for any identical violation was raised from $25,000 under HIPAA to $1.5 million under HITECH

59
Q

Privacy

A

Refers to the right of an individual to control his or her personal info and to keep it from being divulged or used by others against his or her wishes

60
Q

Confidentiality

A

Is a means of protecting that information, usually by safeguarding it from unauthorized disclosure

-this only becomes an issue once an individual’s personal information has been received by another entity

61
Q

Security

A

Applies to the spectrum of physical, technical, and administrative safeguards put in place to protect the integrity, availability and confidentiality of information and the systems in which it is stored

62
Q

Distinction between security and privacy

A

Security regulations only apply to PHI maintained in the electronic medium (ePHI), whereas privacy rule applies to all PHI held by a covered entity

63
Q

Three new terms related to business arrangements

A

-Organized Health Care Arrangements (OCHA)
-Affiliated Covered Entities (ACE)
-Hybrid Covered Entities (HCE)

64
Q

Organized health care arrangements (OCHA)

A

Is a clinically integrated setting where the individual typically received health care from more than one health care provider

Example - hospital and its medical staff

*if a physician participates in an OHCA and agrees to join the joint notice, it is important to understand that the notice only applies to services provided within the OHCA. This means that the physician must still distribute a notice to the patients seen in a private practice clinic

65
Q

Joint Notice

A

Agreeing to participate in an OHCA allows the covered entities to have a joint notice which covers the manner in which all members of the OHCA will use and disclose PHI about the individual

66
Q

Affiliated Covered Entities (ACE)

A

Is a group of legally separate covered entities that share common ownership or control

Common ownership exists if an entity or entities possess 5% or greater ownership interest in another entity

Common control exists if one covered entity has the ability to significantly influence the actions or policies and procedures of another covered entity, either directly or indirectly

An ACE allows a group of covered entities to function as one covered entity for most purposes under HIPAA. However, the designation as an ACE does not make all the legally separate entities liable for privacy violations of the other entities

67
Q

Hybrid Covered Entities (HCE)

A

Is a business that has, as one of its functions, an activity or activities that make it a health care provider, a health plan and/or a health care clearinghouse.