HIPAA Privacy Rule Flashcards
(87 cards)
1
Q
HIPAA acronym
A
Health Insurance Portability and Accountability Act
2
Q
Privacy Rule was passed in what year?
A
2003
3
Q
Security Rule was passed in what year?
A
2005
4
Q
The privacy rule establishes the ______
A
minimum
(NOTE: if state and federal are diff, follow the most stringent one)
5
Q
What is privacy?
A
Freedom from unauthorized intrusion
6
Q
What is confidentiality?
A
requires HC providers to protect heath records from unauthorized use
(NOTE: may be written or verbal)
7
Q
What title # of HIPAA pertains to privacy and security?
A
Title II
8
Q
What forms of info does the Privacy rule cover?
A
oral, written, and electronic
9
Q
What forms of info does the Security rule cover?
A
Only electronic info
10
Q
PHI acronym
A
Protected health info
11
Q
What does HIPAA lack?
A
a private right of action
(NOTE: means that a pt can’t sue for HIPAA violation, only an attorney or general gov)
12
Q
Purpose of HITECH (2009) (2)
A
- Strengthens privacy and security of PHI (i.e. use of EHRs)
- increased penalties
13
Q
What is health info per HIPAA?
A
Any info (whether oral or recorded in any form) that is created or received by a health care provider, health plan, employer, life insurer, school
AND relates to the past, present, or future phys/mental health of an individual
14
Q
What happens if health info is not dated?
A
Applies to the future
(no end date)
15
Q
What 6 things does HIPAA provide the patient the right of?
A
- access
- request amendment
- accounting of disclosure
- request confidential communications
- request restrictions
- complain of privacy rule violations
16
Q
Who does HIPAA apply to? (2)
A
- Covered entities (+ workforces)
- Business associates (+ workforce and subcontractors)
17
Q
What is covered under HIPAA?
A
PHI (and any “HIPAA identifiers” that point to a certain pt)
18
Q
What is NOT covered under HIPAA? (2)
A
- De-identifiied info
- personnel and edu records
19
Q
Three HIPAA CEs:
A
- Healthcare provider
- Health plan
- Healthcare clearinghouse
20
Q
CE: Healthcare provider description
A
doctor
21
Q
CE: Health plan description
A
insurance plan
22
Q
CE: Healthcare Clearinghouse description
A
3rd party billing vendor
23
Q
Should HIPAA be politicalized?
A
No
24
Q
An example of an organization that would need a business associate agreement is…
a) housekeeping service
b) Hospital where dr refers patients for surgery
c) Healthcare organization’s employees
d) Billing service that the healthcare organization uses
A
d) Billing service that the healthcare organization uses
25
HIPAA Applicability: What is a Business Associate (BA)?
Any person or org that provides services around PHI or its disclosure
(ex: 3rd party vendors, consultants, etc)
26
What is a Business associate agreement (BAA)? Does it apply to subcontractors?
Legally protects info handled by BA that complies with HIPAA
Yes
27
Components of a BAA (3):
- written
- specifies permitted/prohibited uses
- assurances of safeguards to prevent unauthorized use
28
What law added more BA categories?
HITECH
28
If a health care facility accepts cash or provides free services, like a clinic that provides physical exams, administers vaccines, and gives well baby check-ups regulated by HIPAA?
No; free services are not CE
29
Are wearable devices that collect PHI covered by HIPAA?
No
29
Are artificial intelligence (AI) programs that analyze patient data considered BAs?
No
30
What was added to the 2024 HIPAA update?
- strengthened reproductive privacy
- reward, similar to qui tam
- increased care coordination for SUD records
31
What is a workforce?
Any individual working under the CE's direct control
(paid employees, volunteers, trainers, interns, outsourced vendors)
32
What are the three components for determining PHI?
1. identifies a person or a reasonable basis to believe a person could be identified
2. relates to one's health condition
3. is held or transmitted by a CE or its BA
33
Decedents according to 2013 Omnibus Final Rule
PHI does not have to be retained after 50 yrs
34
What happens with the HIPAA privacy rule under emergencies?
Specific parts can be suspended for up to 72 hours
35
What Act covered edu records?
Federal Education Records Privacy Act (FERPA)
36
PHI disclosure
Dissemination of PHI from a CE/NA
37
PHI Use
Handling PHI internal to a CE/BA
37
PHI Request
Asking for access to PHI
38
Minimum necessary
"need to know" concept
Limits PHI uses, disclosures and request to only the "minimum necessary" amt to accomplish an intended purpose
39
Two situations where HIPAA requires use or disclosure of PHI without an individual’s authorization:
1. Indv or rep requests access
2. US Dept H&HS is investigating
40
What is TPO? Does it require authorization?
Treatment, payment, operations
No but may do it as a courtesy
41
2 Situations where indv can informally agree or object
1. Pt admission directory
2. Notification to fam/friends
42
For what things is a valid authorization for disclosure of info required? (5)
- PHI that cannot be released w/out authorization
- psychotherapy notes
- marketing
- research
- sale of PHI
43
What is marketing in HC?
Communication about a product or service that encourages the recipient to purchase or use it
44
What did HITECH do in terms of marketing?
Limited the def of HC operations to increase the marketing authorization requirement
44
What is the problem with marketing?
CEs often classify marketing activities as HC operations NOT requiring authorization
45
When can fundraising be considered part of operations?
When it uses de-identified info to raise funds to benefit the org
46
What pt info can be used for fundraising purposes? (6)
- demographics
- date of HC provided
- department of service info
- treating physician
- outcome info
- health insurance status
46
HITECH imposes additional requirements on CEs and ____ patients’ ability to easily and inexpensively opt out of fundraising solicitations that use or disclose PHI
strengthens
47
When does the notice of privacy practice have to be given?
before on on the first visit
47
How long does the notice of privacy practice have to be kept?
3 years
47
What is the notice of privacy practices?
- lays out how a CE will use and disclose PHI
- CE legal duties regarding PHI
47
What does the use and disclosure of psychotherapy notes require?
Authorization
48
Is selling PHI a violation of the Notice of Privacy Practices?
Yes
49
What happens if the pt refuses to sign the Notice of Privacy Practices?
Must be documented; care can't be withheld
50
Does consent has an expiration date?
No
50
T/F: Providers are required to obtain a pt's signed consent to use/disclose PHI for TPO purposes?
False; not required
51
What is authorization?
Written permission for specific disclosure (things other than TPO)
52
Key HIPAA elements included in authorization (9)
- name of individual
- who is making disclosure
- to whom info is going to
- type of info disclosed
- signature of individual
- date signed
- expiration date
- statement of right to revoke
- redisclosure statement
53
Providing a copy of an emergency room visit report to a PCP is an example of which of the following under HIPAA?
A. Use of protected health information
B. Provision of protected health information
C. Minimum necessary of protected health information
D. Disclosure of protected health information
D. Disclosure of protected health information
54
What is the right to request restrictions?
Requesting restrictions on uses/disclosures of PHI outside of TPO;
(NOTE: not required to agree if too difficult to carry out request)
55
What is the exception to the right to request restrictions?
If individual wishes to not use Health Plan and pay in full with cash
56
What info is included in accounting of disclosures?
- date
- name/address of entity that recieved info
- info disclosure
- statement on purpose of disclosure
57
Who investigates HIPAA violations?
HHS- OCR
Office of Civil Rights
57
Who owns the pt record?
Provider/ org
58
When a pt is requesting access to records, how long do CEs have to respond after the request was received?
30 days (15 days if electronic info)
59
Instances when a pt can be denied access to PHI (3)
- psychotherapy notes
- correctional institutions if it jeopardizes safety
- if info was obtained other than provider and access would reveal source of info
60
What did the 21st Century Cures Act do? (2)
- reiterates pt access
- prohibits info blocking
61
Reasons for having a denied PHI request (2)
- endangers life or safety
- causes substantial harm to another person mentioned in PHI
62
Explain if it is a HIPAA Privacy rule violation:
Natalie requested a list of people who have reviewed her record. This is her second request of the year. The hospital is charging her $150
Yes, excessive fee
62
Explain if it is a HIPAA Privacy rule violation:
The hospital received a request to amend a patient record. They refused to accept the request
Yes, have to accept but may not honor request
63
Explain if it is a HIPAA Privacy rule violation:
Bob refused to sign the Notice of Privacy Practice, but the hospital treated him anyway
No
63
Explain if it is a HIPAA Privacy rule violation:
Mr. Smith requests a copy of his wife’s medical record but does not include a written authorization from his wife.
Yes, need the wife's authorization
63
What is a breach?
unauthorized access, use, or disclosure of PHI
Must demonstrate PHI was compromised
64
Omnibus rule's 3 exceptions to breach notification rule
1. PHI disclosure was not intentional
2. access to PHI was unintentional by a workforce member
3. HC org has good faith the PHI was not retained
65
Breach notification notice is for... (2)
- individuals affected
- HSS via online portal
66
HIPAA Breach Notification Requirements: 9-499 individuals
Web posting and media notification
67
What does preemption do?
Gives legal precedence to federal law when it conflicts with state law
67
HIPAA Breach Notification Requirements: 500+ individuals
notice to media outlets and Secretary of HHS
68
Is this a HIPAA violation?
There was an overdose at 17 Tyler Road around 1:30 this morning. Charleston County responded and the female in the home was taken via ambulance to the hospital. Per the officers, it was cocaine and pills
No, the resident is not a CE or BA.
69
How many tiers of HIPAA violation penalties are there?
4
70
HIPAA Violation Penalties: Tier 1
Unaware of HIPAA violation
71
HIPAA Violation Penalties: Tier 2
Had reasonable cause and not willful neglect
72
HIPAA Violation Penalties: Tier 3
Had willful neglect and corrected within 30 days of discovery
73
HIPAA Violation Penalties: Tier 4
Had willful neglect and not corrected as required
