HIPAA Privacy and Security Requirements

Question 1

What are the goals of privacy?

Answer 1

Patient control over sharing of information
Disclosure of how information will be used

Question 2

What are the goals of security?

Answer 2

Information available to those who need it
Information not available to those who do not

Question 3

What is protected health information?

Answer 3

Information that identifies an individual and describes his/her medical condition or treatment
Includes clinical information, information on payment, basic demographic information, name, address, and telephone number
Applies to written and electronic information

Question 4

What is use and disclosure?

Answer 4

Information is used by members of our workforce for collection of information by clinical staff, review of patient charts by clinical staff, completion of billing forms by clerical staff, and accounting and bookkeeping entries
Information is disclosed when it is shared with others (transmission or information to a health plan or billing service, transmission of prescriptions to a pharmacy, consultation with an independent provider, and reporting to government agencies)

Question 5

What is notice of privacy practices and acknowledgement?

Answer 5

A notice is a statement given to each patient describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA
Acknowledgement is written documentation that the notice was provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it
*HIPAA requires us to give the notice to every patient when they first visit a medical practice
Consent in a concept that doesn’t exist in HIPAA

Question 6

What is authorization?

Answer 6

Required for uses and disclosures other than for treatment, payment, healthcare operations, and to comply with legal mandates
Signed by the patient or patient’s personal representative
An authorization must identify the information to be disclosed or used, how the information will be used, and who will use it
The authorization must be signed by the patient or by the patient’s representative if the patient is unable to sign it

Question 7

What is the workforce?

Answer 7

Members of the medical practice
Employees of the medical practice
Independent contractors we hire (under our supervision)
*Anyone who performs work for us is covered by the HIPAA privacy and security provisions

Question 8

What is a business associate?

Answer 8

An entity that performs services for the practice
Examples: billing services and accreditation agencies
Must give satisfactory assurances

Question 9

What is a personal representative?

Answer 9

A person who can act on behalf of the patient
Must have legal authority to act on the patient’s behalf
A personal representative may acknowledge the Notice of Privacy Practices, authorize use and disclosure of information, request and receive an accounting of use and disclosure, and request amendment of health information (change in information about a patient)

Question 10

What is minimum necessary?

Answer 10

HIPAA limits use and disclosure of protected health information to the ‘minimum necessary’ to accomplish an intended purpose
Examples:
Any information requested for treatment
Any information in a standard transaction
Information required by administrative task
Information specified in request from law enforcement officials, regulatory officials, subpoena or court order

Question 11

When is authorization not required to use and disclose a patient’s medical information?

Answer 11

Treatment of the patient
Obtaining payment
Out day-to-day operations (confirming contracts with 3rd parties, etc.)
Legally mandated reporting or disclosure

Question 12

What is treatment?

Answer 12

Collection of information
Review of patient records and test results
Consultation with other providers
Referral to another provider
Transmitting information to other providers
*As long as we have not agreed to a request from the patient to restrict the sharing of information, we are not limited by HIPAA in terms of the information we can share – as long as it is used for the purpose of treatment

Question 13

Do we need to obtain the patient’s authorization to transmit payment information?

Answer 13

No
To determine whether a patient is eligible for coverage under a health plan
To determine whether specific tests or services are covered under a health plan or to determine cost sharing requirements
To submit a claim or to inquire about the status of a claim
To process payments or claims remittances
To process credit card transactions or obtain approvals of checks

Question 14

What are health care operations?

Answer 14

Maintenance of medical records
Maintenance of accounting records
Quality assurance activities
Staff credentialing and performance evaluation
Conducting financial and management audits
Investigating complaints
Supporting legal activities
Resolving grievances
General business management
*Any of these activities may require us to examine information from patient records
We do not need a patient’s approval for any of these uses
However, we have to limit the information we use to the “minimum necessary” for the task at hand

Question 15

What are legally mandated disclosures?

Answer 15

Federal, state and local laws may require our medical practice to disclose or report information about patients
HIPAA allows us to comply with these requests for information
Examples:
Police and Law Enforcement
Public Health Reporting (reportable infectious diseases and vital events (birth and death))
Abuse and Neglect Reporting
Licensing and regulatory oversight
Legal proceedings

Question 16

What are some general examples of legally mandated disclosures?

Answer 16

Reporting certain injuries or wounds to law enforcement agencies
Reporting crimes
Complying with investigations of fraud and abuse
Reporting infectious diseases and vital events to public health authorities
Reporting suspected abuse, neglect or domestic violence
Permitting inspection of records by licensing and regulatory agencies
Disclosing information as part of legal proceedings

Question 17

Who is disclosure permitted to?

Answer 17

Spouses, parents and legal guardians, and others involved in care

Question 18

Is it good to obtain patient permission to disclose information to family members?

Answer 18

Yes
We still should make sure the patient is given a chance to object to the disclosure of information to family members or others
We’re allowed to assume there’s no objection if the patient is present while we discuss the case with a relative and the patient says nothing about it
If the patient cannot be consulted on this issue, the patient’s representative should be consulted

Question 19

What are incidental disclosures?

Answer 19

Unwitting disclosure of information about our patients
It could take the form of a conversation overheard by another staff member, a vendor, or a patient
A telephone call to a patient to communicate test results might be overheard, or test results might be left where they can be seen by unauthorized persons

Question 20

What are some examples of incidental disclosures?

Answer 20

An overheard conversation among staff members
An overheard discussion between staff and patients
An overheard telephone call to a patient
Test results being filed in patient records

Question 21

Are incidental disclosures permitted?

Answer 21

Yes, but should be avoided

Question 22

Do incidental disclosures need to be documented?

Answer 22

NO

Question 23

What can you do to try to minimize incidental disclosures?

Answer 23

Conduct discussions in private areas
Limit discussion when others are present

Question 24

What does a notice of privacy practices tell the patient?

Answer 24

How their information will be used
With whom their information will be shared
When an authorization is needed
How to request an accounting
of uses and disclosures
How to request access to information
How to request changes in information

Question 25

What are patient rights for the notice of privacy practices?

Answer 25

Request restrictions on use and disclosure Request confidential communications Obtain an accounting of uses and disclosures Review protected health information Request changes to information

Question 26

Who provides the notice to patients?

Answer 26

Responsibility of receptionist Provide during first patient visit Review key provisions Discuss and resolve requests for restrictions on use and disclosure and confidential communications (right to request restrictions on the ways their information is used)

Question 27

Does the staff need to make an effort to obtain the patient's written acknowledgement that they received the notice of privacy practices?

Answer 27

Yes An acknowledgement documents receipt of the notice It must be obtained only on the patient’s first visit here and should be obtained before the patient receives any medical services An acknowledgement form is attached to the Notice, and is the preferred method of documenting receipt of the notice If a patient cannot or will not sign the acknowledgement, we should document the attempt on the acknowledgement form itself The reason the patient didn’t acknowledge receipt should be given

Question 28

When is authorization needed for medical/clinical research?

Answer 28

Investigational treatment Research protocols Exception for “de-identified” data

Question 29

When is authorization needed for marketing?

Answer 29

Promoting third-party products/services Providing mailing lists to others

Question 30

Do we have to get the patient’s OK any time we use or share their information for a purpose unrelated to treatment, payment, health care operations, or compliance with legal mandates?

Answer 30

Yes

Question 31

What must authorization include?

Answer 31

Identify the information to be used or disclosed Identify users/persons to whom disclosed Identify purposes of use or disclosure Note the potential for redisclosure

Question 32

Can we make authorization a condition of treatment? (won't treat unless you authorize)

Answer 32

No This is true except when treatment available only to research subjects and treatment requested by the patient for disclosure

Question 33

Should the authorization form be reviewed with the patient?

Answer 33

Yes Any questions concerning the specific information to be used, the uses to which the information will be put, or the individuals and organization who will be given the information should be addressed The potential for re-disclosure should be discussed In a nutshell, information disclosed to a third party may not be protected by the federal privacy regulations If the information will be protected from further re-disclosure, the authorization should note these protections Obtain patient/representative signature File authorization form in records

Question 34

What is the goal of the accounting?

Answer 34

Let patients know who has received their information – and why Facilitate amendment/correction when erroneous information has been disclosed *we have to track disclosures to law enforcement agencies, to regulatory agencies, for public health reporting, and to report abuse or neglect We must also own up to disclosures that should not have occurred, for example using information in a research study without the patient’s authorization

Question 35

What are we not required to provide accountings of?

Answer 35

Uses and disclosure of information related to treatment, payment or health care operations Disclosure of information to the patient Incidental disclosures Disclosures that are specifically authorized by the patient Disclosures to a person who is involved in the patient’s care *Need to remind patients that once it leaves the realm of healthcare, it is no longer protected by HIPAA (no longer private)

Question 36

Do patients have to file formal, written requests for accountings?

Answer 36

Yes After reviewing the request, we prepare the accounting and make it available to the patient We cannot charge the patient a fee for the first accounting produced for him or her in any 12-month period We will charge, however, for all accountings beginning with the second one in a 12-month period

Question 37

What is the content of the accounting?

Answer 37

Identity of the person or organization to whom information was disclosed Description of the information disclosed Description of the purpose of the disclosure

Question 38

What rights does HIPAA give to patients?

Answer 38

To review and copy their records To request changes in their records To have changes communicated to others

Question 39

What rights does HIPAA give to providers?

Answer 39

To charge for copies of health information To deny requested changes in patient records

Question 40

What needs to happen when a patient requests to change information?

Answer 40

Review the patient request Changing patient records is something we don't want to do - basically saying we didn't provide standard of care in the first place and anyone who has gotten these records needs to be informed that they were changed If we decide the information is correct, we statement and explain our reasons for not changing the information to the patient in writing That written explanation must advise the patient that he or she can submit a written statement disagreeing with the denial, and require us to include the patient’s original request for a change in any subsequent disclosures of the same information We also are required to spell out the procedures the patient should follow in preparing their written disagreement with our decision We have the option of replying to that statement and including our reply – along with the original exchange – in any subsequent disclosure of the information As you’d probably guess, we’re also required to maintain records of all of this correspondence

Question 41

What are the two aspects of security?

Answer 41

Preventing unauthorized access/disclosure Preventing loss of information

Question 42

What is the scope of security concerns?

Answer 42

Securing electronic information Securing paper records

Question 43

Is security everyone's business?

Answer 43

Yes Information systems managers & staff Medical professionals Clerical and billing staff Managers and supervisors Consultants and contractors

Question 44

What are some security threats?

Answer 44

Loss of information Theft of information Unauthorized disclosures Accidental disclosures

Question 45

What are liability control considerations?

Answer 45

Legibility Accuracy Completeness Reasoning Spoliation (intentional alteration or destruction of documentation; cannot go back and refine documentation, the first draft is the final draft) Timeliness (documentation is concurrent with the care) Alignment (medical documentation must support your billing and compliance documentation)