The Health Insurance Portability and Accountability Act (HIPAA) is a ______________ law that was signed into effect in _______.
HIPAA was designed to protect Americans with medical conditions from ___________________ when they changed jobs or moved.
Losing health insurance.
HIPAA is comprised of ___ rules.
The _____________ Rule: Became effective April 14, 2003. Provides regulations and safeguards regarding confidential patient information.
The Privacy Rule.
The ________________ Rule: Became effective October 16, 2003. Requires that a nationally standardized format be used for all health-care transactions that are transmitted electronically, most notably all insurance claims. Practitioners who submit claims electronically must therefore either use appropriate software or contract with a health-care clearinghouse (which accepts written data, transforms it into electronic data, and then transmits it to the insurance company).
The Transaction Rule.
The _______________ Rule: Became effective April 20, 2005. Addresses issues of physical security, such as locking files and encrypting e-mails.
The Security Rule.
Technically, compliance with HIPAA's rules is only required when health information is __________________________. However, once any information is transmitted electronically, HIPAA's rules apply to the ________________ of a psychologist or institution.
- Transmitted in some electronic form
- Entire practice
While issues about confidentiality and patient access to records are typically governed by state laws and regulations, HIPAA is a federal law that can ___________________ state law. However, whichever is _______________ ultimately takes precedence.
- Take precedence over
- More stringent
When state law and HIPAA are contradictory, making it impossible to comply with both, ____________ takes precedence.
While __________________ allows the provider to deny access to records when adverse or detrimental consequences are anticipated, ______________ states that access can be denied only when the health care professional has determined that access is reasonably likely to endanger the life or physical safety of the individual or another person.
- CA State Law
Penalties for failure to comply with HIPAA include:
1) Administrative sanction by the Office for Civil Rights of Health and Human Services
2) Civil penalties of $____ for each violation up to a total of $__________ per year
3) Fines of up to $__________________ or ten year imprisonment, or both, for deliberate and knowing violations of patients' privacy rights
HIPAA distinguishes between __________________________ and psychotherapy notes. Most of HIPAA's general provisions govern the former; more stringent protections govern psychotherapy notes.
Protected health information (PHI).
______________________ refers to health information that identifies a patient, and that is transmitted or maintained in any form (e.g., on computer, handwritten notes, etc.). It includes information about the mental health condition of a patient (e.g., diagnosis, symptoms, prognosis, progress), the provision of services (e.g., medication, treatment modality, treatment plan, frequency of treatment), and payments. Typically, chart notes kept on a psychotherapy patient are considered to be PHI.
Protected Health Information (PHI).
_______________________ refer to what have historically been termed "process notes." These include the notes of practitioners that document or analyze the content of counseling sessions. In order for process notes to be considere "________________________," they must be separated from the rest of an individual's medical record (typically interpreted as physically separated).
Psychotherapy Notes (both blanks).
HIPAA distinguishes between __________________ consent and __________________.
- Generalized consent
- General consent
________________________: This refers to obtaining patient permission to disclose information on a release of information form. According to HIPAA, this is not needed for disclosures, as long as any of the disclosures are for the purposes of treatment, payment, or healthcare operations. However, it is needed for any other type of disclosure (e.g., a patient's spouse requests PHI).
According to HIPAA, managed care organizations and other third-party reimbursement entities ___________ require the release of psychotherapy notes in order to provide reimbursement.
HIPAA provides for ___ basic patients' rights.
Right of Notice.
Right to ___________________: Psychologists are obligated to agree to "reasonable requests" to restrict use and disclosure of PHI. Psychologists are not obligated to agree to any and all limits on disclosure and use that are requested by patients.
Right to Request Restriction.
Right to Receive ____________________________ by _______________________ and at Alternative Locations: Patients may elect to have psychologists mail their bills to an address other than their home address or not too call them at their home phone, in order to protect patients' confidentiality.
Right to Receive Confidential Communications by Alternative Means and at Alternative Locations.
____________________: Patients have the right to inspect and receive a copy of PHI that is in the medical record. Records may only be withheld when disclosure would jeopardize the life or physical safety of the patient or others. Patients do not have a right to inspect or obtain a copy of their _____________________.
- Access to Records
- Psychotherapy notes
Right of ____________________: Patients may request changes to their PHI to improve accuracy. If a psychotherapist determines that such a change would make the PHI less accurate, the request may be denied. The record may never be expunged; instead, changes should be noted as amendments. All requests for amendments, as well as whether they were granted or denied, must be documented.
Right of Amendment.
Right of __________________: Patients have the right to receive record of all the disclosures of their PHI for the past six years. This record must include information about the date of the disclosure, the party to whom the information was disclosed, and a description of what was disclosed and for what purpose. Written authorization by the patient may be used in lieu of such an accounting procedure.
HIPAA outlines ___ duties applicable to all providers who need to be HIPAA compliant.
___________________________: Psychologists must have one of these, and it must be given to all patients. It must reflect compliance with HIPAA and state laws. A HIPAA compliance oficer must be designated; in most small practices this would be the practitioner him or herself.
_____________________: Psychologists must track disclosures of PHI.
______________________________: Psychologist must ensure that employees are trained and compliant with HIPAA requirements. They must obtain contractual assurances that business associates (e.g., billing companies) comply with HIPAA.
Compliance of Employees and Business Associates.
_______________________________: If psychologists want psychotherapy notes to receive more stringent protections, they must maintain these notes separately from the rest of the medical record.
Protection for Psychotherapy Notes.
____________________________: Access to PHI must be protected; practitioners must take appropriate and reasonable actions such as locking filing cabinets, ensuring that electronic records are protected with passwords and firewalls, and encrypting e-mails that contain PHI.
Safeguarding Access to PHI.