HIPAA Flashcards
(41 cards)
What does HIPAA do?
Protects individually identifiable health information
- sets limits on disclosures of PHI
- institutes safeguards to secure PHI
- hold people accountable for safeguarding PHI
- gives patients control of their PHI
HIPAA allows info to be more easily…
exchanged among health care professionals
Direct vs. Indirect treatment
Direct - healthcare provider is directly treating patient
Indirect - health care provider delivers treatment to individual based on orders of another provider
*RPh does BOTH
Hybrid Entity
business that has both covered and non-covered functions (ex. Walmart pharmacy/store)
*must ensure PHI remains within the pharmacy
Individual Identifiable health information
any info (recorded or oral) that includes demographic info relating to the health of an individual
Protected Health Information (PHI)
identifiable health info that is transmitted by electronic media and is covered by HIPAA
De-identification of PHI:
information about an individual that is de-identified…
means there is no reasonable way to identify the individual; NOT considered identifiable health information.
- removal of names, geographic subdivisions SMALLER than states, dates (except year), photos, etc.
- if info is RE-identified then becomes pHI once again.
Minimum Necessary
a covered entitiy must make reasonable efforts to limit protected health info to the minimum amount need to accomplish intended purpose.
- does NOT apply to pharmacists
Safeguards
put in place to protect privacy of PHI from intentional/unintentional disclosures
Privacy Officer
NECESSARY
responsible for development/implementation of safeguards
HIPAA Employee Training
- necessary for all workers
- employers must keep training records
- must be given training in reasonable timeframe
- employees must be informed/trained about any changes
- must punish employees who misuse PHI
Patients rights to access their health records
EXCEPTIONS:
- inmates
- psychotherapy notes
When can you deny a patient their right to access their PHI?
- danger to the patient
- harm to another
- give patient written reason for denial along with complaint procedures –> patient has right to review denial
Right to an Accounting
individual has right to receive a list of all disclosures of PHI for up to past 6 years
- must act on request within 60 days
- first account is FREE
Complaints
- patient has right to file complaint
- ANYONE can file a complaint
- file in writing (paper or electronic)
- file within 180 days of act
Patient Retaliation
NOT ALLOWED
Consent Forms vs. Authorization Forms
Consent Forms - voluntary
Authorization Forms - mandatory
Can you look up a patients info if you are NOT actively treating them?
NO
you MAY disclose patient PHI to others IF…
- you have patients agreement
- provide patient with opportunity to object
- based on professional judgement, you infer that patient does not object
If patient is not present, incapacitated, or in an emergency…
use your professional judgement to see if disclosure is best
Who has the authority to act on behalf of a minor?
parent, guardian, loco parentis
What do the police need to request access to PHI?
SUBPOENA
or a signed/written authorization from patient
Notice of Privacy Practices
- tells how you are going to use PHI
- tells patient of their rights
- patient can refuse to sign document –> can still treat/fill for patient (DOCUMENT refusal)
*EXCEPTION - inmates do NOT have right to notice of privacy
How long must you keep written acknowledgements of Notice of Privacy Practies?
6 years
