Unit 5: Privacy and Security of Health Information Flashcards
(41 cards)
Privacy
The right of an individual to limit access to information about themselves unless it contradicts federal or state law
Confidentiality
The expectation that information shared with a healthcare provider will be used only for its intended purpose
Security
The protective measures and tools for safeguarding information in a system
ex: user names and passwords
2009 HITECH Act
made laws safeguarding patient information more stringent due to the increased use and access to patient healthcare information
Ohio Revised Code
more stringent than 1996 HIPAA
RED Flag Rules
for providers that collect credit card information. Laws regard suspicions of medical identity fraud
Covered Entity CE
Health plan, healthcare clearing house, or healthcare provider that transmits any health information in electronic form
Protected Health Information PHI
individually identifiable health information held or transmitted by a CE or its business associate, electronic, paper, or verbal
Designated Record Set DRS
a group of records maintained by the CE (typically a healthcare provider) that may include payment and medical information
Use
PHI is used internally; quality department determines whether appropriate care was given
Disclosure
PHI is disseminated from the CE (healthcare provider) and sent to an external source such as an attorney, insurance company, or another hospital
Minimum Necessary
Limit the PHI disclosed to the least amount required to accomplish the intended purpose for which the information was requested
PHI Identifiers subject to HIPAA
Name Postal address Telephone numbers Fax numbers Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers License numbers Vehicle identifiers (vin or plate) Medical device identifiers Biometrics Full face photographs
TPO Treatment, payment, operations
the times when PHI can be used
AARA Requirements
Certification of EHRs
Mandated HIPAA Audits
Increased penalty severity
Business associates also subject to privacy and security regulations
Internal security threats
hardware
Environment
Employees: human error, exploiting access, malice or gain
External security threats
External humans who access data or steal hardware
Natural disasters: necessitates use of backup servers in an alternate location
Confidentiality
only giving ePHI access to those who need it
Integrity
Making sure data isn’t altered during transmission or storage
Availability
Information must be available when needed for patient care and other uses to authorized users
Administrative safeguards
people focused: training, policies, assessment
Physical safeguards
mechanisms to protect hardware, software, and data
like locks on the door to the server room
should protect against fire, theft, etc
Technical safeguards
use technology to protect data and control access
Access controls
a computer software program designed to prevent unauthorized use of an information resource
Must have policies on who can view, create, and modify data
