HIPPA Flashcards Preview

Intro. to clinic > HIPPA > Flashcards

Flashcards in HIPPA Deck (39):

What does HIPPA do?

improves efficiency and effectiveness of health care system by standardizing the electronic exchange of administrative and finanacial data
mandates specific protections for individually identifiable health information


goals of HIPPA

guarentee ongoing health insurance coverage for workers who change jobs
portability of pre-existing condition exemptions between employer group health plans
preventing fraud and abuse in health care
protect patient health information
standardize electronic transactions in healthcare/stimplify administrative reporting


covered entity

all health care plans
all healthcare clearinghousers (billing services)
healthcare provider who transmits any health information in electronic form in connection with a standard transaction


why is HIPPA needed?

to protect sensitive data from being lost, destroyed or misused


why is HIPPA important?

public trust
morally and ethically the right thing
good for business
prevents law suits
avoids financial penalties and possible imprisonment



rights of an individual to limit the use and disclosure of all protected health information



obligations of covered entities to safeguard protected health information from improper use of disclosure, especially electronically transmitted or stored information



release, transfer, provision of access to or divulging of information outside the entitiy holding the information



sharing, employment, application, utilization, examination or analysis of individually identifiable information within an entitiy



empolyees, volunteers, trainees and other persons whose conduct,, in the performance work, is under the direct control of such entity


business associate

a person or entity that performs a function that requires the creation, use or disclosure of PHI on behalf of a CE but is not considered partof a workforce



the physical premises and the interior and exterior of a building


security incident

attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system



and eletronic computing device, that performs similar functions and electronic media stored in its immediate environment


malicious software

software designed to damage or disrupt a system



any information, including demographic information, collected from an individual that is
1. created or received by a healthcare provider, health plan, employeer or healthcare clearinghouse
2. relates to the past present or future physical or mental health or condition of a individual; provision of health-care to an individual, or to the past present or future payment for the provision of healthcare to an individual
3. identifes the individual
4. there si reasonable basis to believe that the information can be used to identify the individual


examples of individually identifiable information (PHI)

names of relatives
date of birth
phone/fax numbers
cose or characteristics (occupation)
email address
medical record number
account number
certificate/liscence number


what is NOT considered PHI?

employment records of CE


privacy standards

require health care plans and providers to maintain administrative and physical safeguards to protect condifenciality of healht information and to protect against unarthorized access to that information


when does minimum necessary apply?

when using or disclosing protected health infomration or when requesting protected health information from another covered entity, a CE must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or requrest


when does minmum necessary apply?

anyone requesting PHI has a specific reason fofr which the PHI is needed
disclosure should be limited to that PHI needed for the specific purpose
use should be limited to the minimum necessary to perform your job


when is minimum necessary not applied?

when the PHI is for diagnosis or treatment purposes


what are patient rights for HIPPA?

1. to request an accounting of health information disclosures
2. request an amendment to health information
3. to inspect and copy health information
4. to receive confidential communications about tealth information
5. to request restrictions on disclosures
6. to complain to the CE and to DHHS


if a patient requests their PHI, when must you get it to them?

within 30 days of patient's request


what must you provide under HIPPA patient rights?

provide a printed policy of how PHI is used and protected
must have a history of PHI disclosures for purposes other than treatment, payment or health care operations


business associate aggreemtns include

1. billing or claims processing
2. medical transcritpions
3. utilization reivew
4. software vendors
5. offsite storage or document destruction


security standards as said by HIPPA

development and implementation of technical safeguards including firewall systems, virus detection, data backup systems, and updated software and hardware technology


administrative safeguards

1. security management process
2. assign security responsibility
3. workforce security
4. information acdess managment
5. security awarness and training
6. security incidence procedures
7. contingency planning
8. evaluation
9. business associate contracts


physical security considerations

1. computers
2. patient records
3. conversations/discussion of patient's health appointments
4. appointment book/scheduling system
5. secure rooms and files
6. FAX machines
7. contingency operations
8. facility security plan9. access controls and validation procedures
9. maitenance records
10. workshation use and security


technical safeguards

1. access control
2. audit conrols
3. integrity
4. person or entity authentication
5. transmission secturity


basics of a secure information system

1. access control
2. virus control
3. using approved hardware and software
4. backup procedureas


access control

controlling access to information only to those who are authorized
role based access or user based access methods used to assist in ensuring minimum necessary
passwords are sued to control access and provides authentication of the user and to audit (knowing whether or not tunauthorized access attempts have occured


how to keep your passowrd safe

1. keep it secret
2. commit it to memory
3. change it regularly
4. select passwords that are not easily guessed
5. never leave your system when you are logged on
6. never share your password



1. can spread easily to other copmuters and systems, or to any entity that you share information electronically
2. viruses may corrupt and damage date
3. viruses may damage your operating system rendering your sytems inoperable
5. viruses may cause your printer, scanner and browser to malfunction
6 .viruses may cause daa to be ranodmly sent contacts in your address book


ways to avoid viruses

1. scan all incoming data for viruses
2. scann all outgoing data for viruses
3. ensure the virus scanning software is updated with the latest virus signatures
4. never install unauthrozied software
5. stop and report suspected viruses immediately
6. don't attempt to fix a virus on your own


what should your last resort be for HIPPA related ifnormation?

get a backup
make sure it is in a safe place
make multiple backups
make frequent backups


how is PHI transmitted?

face to face interactions


how do you minimize visual misuse of PHI?

1. clean desk
2. placing patient charts with name faced inward
3. turning minitors away from general public
4. restricting access to areas where PPHI is openly displayed
5. shredding documents before putting them in the trash
6. conduct conversations in areas apart from others
7. speak in a low clear voice
8. if referencing a document, dont' show document to antoehr if there is finformation that the other shuld not have
9. take a survey of documents before ending conversation to make sure nothing is left behind


penalties for non-compliance

$100 fine per day for each unmet standard
$50,000 fine + one year in prison for knowingly disclosing health info for improper use
$100,000 fine + 5 years in proson for obtaining health information
udner flase pretenses
10 years in proson for usign health information
to sell, transfer or use for commerical
advantage, personal gain or malicious harm