Chapter 9 - Data Privacy and Confidentiality
Privacy Rule documentation requirements for accounting of disclosure requests:
- information included in the accounting of disclosure - the written accounting that was provided to the individual - titles of persons or offices responsible for receiving and processing requests for an accounting of disclosure
exceptions to the right of access
- psychotherapy notes - information compiled in reasonable anticipation of civil, criminal, or administrative action or proceeding - PHI subject to the Clinical Laboratory Improvements Act
states have laws requiring the disclosure of health information, even without patient authorization. Scenarios include:
- vital statistics (births and deaths), public health, safety, welfare - sexually transmitted diseases - communicable diseases - those injured by knives or firearms - those with wounds suggesting violent criminal activity - victims of child abuse/neglect
HIPPA privacy rule requires to do one of the following for deidentification:
1. CE can strip certain elements to ensure patient's info is truly deidentified. 2. CE can have an expert apply generally accepted statistical and scientific principles and methods to minimize the risk that info might be used for identification
When a denial of access is made:
1. CE must write the denial in plain language and include the reason 2. must explain that the individual has the right to request a review of the denial 3. must describe how the individual can complain to the CE and must include the name or title and phone number of the person or office to contact 4. must explain how the individual can lodge a complain with the secretary of HHS
Disclosures for which an accounting is NOT required include:
1. For TPO (only applies to CEs without EHRs) 2. To individuals to whom the info pertains, or the individual's personal representative 3. Incidental to an otherwise permitted or required use or disclosure 4. pursuant to an authorization 5. for use in the facility directory, to persons involved in the individual's care, or for other notification purposes 6. to meet national security or intelligence requirements 7. to correctional institutions or law enforcement officials 8. as part of a limited data set 9. that occurred before the compliance data for the CE
three types of covered entities
1. Healthcare providers 2. Health plans 3. Healthcare clearninghouses
Two instances where the Privacy Rule requiring a CE to give an individual the right to review a denial of access
1. Situations where a licensed healthcare professional determines that access to requested PHI would likely endanger the life or physical safety of the individual 2. access would reasonable endanger the life or physical safety of another person mentioned in the PHI
the CE may deny the right to request amendment when it determines the PHI or health record did not comply with the following:
1. Was not created by the CE 2. Is not part of the designated record set 3. Is not available for inspection as noted in the regulation of access (psychotherapy) 4. is accurate or complete as is
The Privacy Rule allows a cost-based fee when an individual requests a copy of PHI or agrees to accept a summary or explanatory info. Fees include:
1. copying, including supplies and labor of copying 2. postage, when the individual has requested that the PHI be mailed 3. preparing an explanation or summary, if agreed to by the individual
an accounting of disclosure must include:
1. date of disclosure 2. name and address (when known) of the entity or person who received the info 3. brief description of the PHI disclosed 4. brief statement of the purpose of the disclosure or a copy of the individual's written authorization or request
types of disclosures that must be accounted for include:
1. disclosures made erroneously 2. for public interest and benefit activities 3. where patient authorization is not obtained, and pursuant to a court order
a workforce consists of:
1. employees 2. volunteers 3. student interns 4. trainees 5. board of directors 6. employees of outsourced vendors who routinely work on site in the CE's facility
If an amendment is granted, the CE must:
1. identify documentation in designated record set affected by amendment, append information, and supply a link to the amendment's location where applicable. 2. Inform individual that amendment was accepted and to identify persons with whom amendment needs to be shared with and obtain his or her agreement to notify those persons. CE must make reasonable effort to provide amendment with reasonable amount of time to anyone who received PHI
18 identifiers removed for deidentification
1. names 2. geographic subdivisions smaller than a state, including street addresses, city, county, precinct, and zip code if the geographic unit contains fewer than 20,000 people; the initial 3 digits of the zip code must be changed to 000 or zip codes with the same three initial digits may be combined to form a unit of more than 20,000 people 3. all elements of dates, except the year, directly related to an individual including birth, admission, discharge, and death dates; in addition, all ages over 89 and all elements of dates (including the year) that would identify such age cannot be used, however individuals over 89 can be aggregated into a single category of 90 and over 4. telephone numbers 5. fax numbers 6. e-mail addresses 7. social security numbers 8. health record numbers 9. health plan beneficiary numbers 10. account numbers 11. certificate and license numbers 12. vehicle identifiers and serial numbers, including license plate numbers 13. device identifiers and serial numbers 14. web universal resource locators (URLs) 15. Internet protocol (IP) address numbers 16. biometric identifiers, including fingerprints and voiceprints 17. full-face photographic images and any comparable images 18. any other unique identifying number, characteristic, or code except for permissible reidentification to match information back to the person about the individual (code must not be derived from or related to information about the individual, cannot be translated to her or her identity, may not be used for any other purpose, and may not disclose the reidentification mechanism)
Three key documents outlined by the Privacy Rule that inform patients and given them a degree of control over their PHI
1. notice of privacy practices (required) 2. authorization (required) 3. HIPAA consent to use or disclose PHI (optional)
components of a business associate agreement
1. parties to the BAA (CE and BA; BA and subcontractor of BA) 2. Purpose of BAA 3. Definitions (breach; electronic PHI; individual; PHI; law) 4. Obligations and activities of BA 5. permitted uses and discloses by BA (or subcontractor) 6. Obligations of the CE 7. Term and termination 8. Indemnity for both parties 8. Limitation of liability 9. Miscellaneous 10. Signatures, titles, contact information
who does the Privacy Rule apply to?
1. persons or organizations identified as covered entities 2. business associates 3. workforce
two key goals to the Privacy Rule
1. provide greater privacy protections for one's health information (limits access to others) 2. provide an individual with greater rights with respect to his/her health information
individual rights
1. right of access 2. right to request amendment of PHI 3. right to accounting of disclosures 4. right to request restrictions of PHI 5. right to request confidential communications 6. right to complain of Privacy Rule violations
A CE denies an individual access to PHI without providing him or her an opportunity to review or appeal a denial in the following situations:
1. the PHI is psychotherapy notes 2. PHI was compiled with reasonable anticipation of, or for use in, civil or criminal litigation or administrative action 3. CE is a correctional institution or provider under direction of a correctional institution, and an inmate's request for his or her PHI creates health or safety concerns 4. PHI is crested or obtained by a covered healthcare provider in research that includes treatment, and the individual receiving treatment agrees to suspend his or her right of access to PHI temporarily during the study 5. PHI contained in records subject to federal Privacy Act if the denial of access under the Privacy Act would meet the requirements of that law 6. PHI maintained by a CE subject to the Clinical Laboratory Improvement Amendments (CLIA) of 1998, which regulates quality of lab testing, and CLIA would prohibit access 7. PHI is maintained by a CE exempt from CLIA requirements
right to request amendment denial components:
1. the basis for the denial 2. the individual's right to submit a written statement disagreeing with the denial 3. the process of how the individual can submit his/her disagreement 4. statement explaining how, when the individual does not submit a disagreement, he/she may request that both the original amendment request and CE's denial accompany any future disclosures of PHI that is subject of the amendment 5. A description of how the individual ay complain to the CE, including name or title and phone # of person or office
how to know if information is PHI
1. the information must be held or transmitted by a CE or a BA electronically, on paper, or orally 2. must be individually identifiable health information 3. must relate to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for the provision of healthcare
an individual's request for review of PHI must be acted on no later than ____ after the request is made
30 days
A CE must act on a request for an accounting of disclosures no later than ____ after receipt
60 days
Amendment denials must be made within ___ of the request and be written in plain language
60 days
an individual's amendment request must be acted on no later than ___ after receipt by allowing it or denying it in writing
60 days
when the PHI is off-site, an individual's request for review of PHI must be acted on no longer than
60 days
HIPAA's attempt to streamline and standardize the healthcare industry's non-uniform business practices, such as billing, to include the electronic transmission of data
Administrative simplification
provided significant funding for health information technology and other economic stimulus funding - made important changes to HIPAA privacy and security rules found in the Health Information Technology for Economic and Clinical Health Act (HITECH)
American Recovery and Reinvestment Act (ARRA)
one of the key federal regulations that governs the protection of protected health information (PHI)
HIPAA Privacy Rule
BAAs must be
HIPAA and ARRA compliant
the federal legislation enacted to provide continuity of health coverage, control fraud and abuse in healthcare, reduce healthcare costs, and guarantee the security and privacy of health information
Health Insurance Portability and Accountability Act (HIPAA)
the federal agency within HHS that is responsible for enforcing the Privacy Rule, recommends a flat fee up to $6.50 - Used when a CE doesn't wish to calculate actual or average costs for electronic PHI - Fees cannot be assessed to those accessing PHI via View, Download, and Transmit function of a certified EHR
Office for Civil Rights (OCR)
was first established by presidential executive order and is now recognized by statute as an entity within the Department of Health and Human Services (HHS) - primary federal entity responsible for coordinating national efforts to implement and use health information technology and promote the exchange of electronic health information
Office of the National Coordinator for Health Information Technology (ONC)
The Privacy Rule requiring a CE to give an individual the right to review a denial of access
Opportunity to Review
The ___ refers to another individual who is not a healthcare provider, and a licensed healthcare professional has concluded from the documentation that the access requested is likely to cause significant harm to that other individual
PHI
with the ____ ____, protections was achieved uniformly across all states through a consistent set of standards affecting providers, healthcare clearinghouses, and health plans
Privacy Rule
HIPAA contains five titles: Title 2 is most relevant to HIM: prevents healthcare fraud and abuse and medical liability (malpractice) reform, and administrative simplification
Title I: Insurance Portability Title II: Administrative Simplification (HIM) (Transactions, identifiers, security, privacy, enforcement) Title III: Medical Savings and Tax Deduction Title IV: Group Health Plan Provisions Title V: Revenue Offset Provisions
Treatment - providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers Payment - activities by a health plan to obtain premiums, billing by healthcare providers or health plans to obtain reimbursement, claims management, claims collection, review of the medical necessity of care, and utilization review Operations - quality assessment and improvement, case management, review of the professional's qualifications, insurance contracting, legal and auditing functions, general business management functions (customer service and due diligence) DOES NOT include marketing or fundraising
Treatment, payment, and operations (TPO)
Elizabeth has requested a copy of her PHI from Memorial Hospital. Which of the following is acceptable for Memorial Hospital to charge Elizabeth? a. A reasonable cost-based fee b. It may not charge Elizabeth at all c. It may impose any fee authorized by state statute d. It can charge only for the cost of the paper on which the information is printed
a. A reasonable cost-based fee
Deidentified information: a. Does not identify an individual b. Is information from which only a person's name has been stripped c. Can be constituted later or combined to reidentify an individual d. Is subject to the HIPAA Privacy Rule
a. Does not identify an individual
Julie wants to review her health records, but she is asking about the Privacy Rule's requirements pertaining to record retention. HIPAA establishes that a patient has the right of access to inspect and obtain a copy of her PHI: a. For as long as it is maintained b. For six years c. Forever d. For 12 months
a. For as long as it is maintained
The term minimum necessary means that healthcare providers and other covered entities must limit use, access, and disclosure to the least amount to: a. Retain records needed for patient care b. Accomplish the intended purpose c. Treat an individual d. Perform research
b. Accomplish the intended purpose
The right of privacy: a. Has been granted by the US constitution b. Has been granted via count decisions c. Does not apply to health information d. Does not exist
b. Has been granted via count decisions
The Privacy Rule extends to protected health information: a. In any form or medium, except paper and oral forms b. In any form or medium, including paper and oral forms c. That pertains to mental health treatment only d. That exists in electronic form only
b. In any form or medium, including paper and oral forms
Business associate agreements are developed to cover the use of PHI by: a. The covered entity's employees b. Organizations outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity c. The covered entity's entire workforce d. The covered entity's janitorial staff
b. Organizations outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity
a person or organization other than a member of a CE's workforce that performs functions or activities on behalf of or for a CE that involves the use or disclosure of PHI - include consultants, billing companies, transcription companies, accounting firms, law firms
business associate (BA)
the privacy rule does not allow CEs to disclose PHI to BAs unless the two enter into a written contract, or ________, that meets HIPAA and ARRA requirements
business associate agreement (BAA)
HIPAA regulations: a. Never preempt state statutes b. Always preempt state statutes c. Preempt less strict state statutes where they exist d. Preempt stricter state statues where they exist
c. Preempt less strict state statutes where they exist
One state's law protects the privacy of health information to a greater extent than HIPAA does. a. The state law will be preempted by HIPAA b. The state law is invalid because it does not provide the same level of protection as HIPAA c. The state law may supersede HIPAA d. The state's law must be consistent with HIPAA
c. The state law may supersede HIPAA
A CE must provide a process for an individual to file a ____ or allegation about the entity's policies and procedures, its noncompliance with them, or its non-compliance with the Privacy Rule - CE notice of privacy practices must contain info to submit complaints to HHS - all ____ are documented
complaint - right to complain of Privacy Rule Violations
stems from the sharing of private thoughts in confidence with someone else - legally protected when communication is between parties such as physician and patient
confidentiality
a person or organization that must comply with the HIPAA Privacy Rule
covered entity (CE)
Bob is exercising his HIPAA right to request confidential communications of both Memorial Hospital and TruePlus, his health plan. When asked by both entities how he will handle payments, he declines to provide them with any information. As a result: a. TruePlus must still honor the request b. Only Memorial Hospital may deny the request c. Memorial Hospital must still honor the request d. Both Memorial Hospital and TruePlus may deny his request
d. Both Memorial Hospital and TruePlus may deny his request
The Privacy Rule applies to: a. Healthcare providers only b. Only healthcare providers that received Medicare reimbursement c. Only entities funded by the federal government d. Covered entities and their business associates
d. Covered entities and their business associates
DataSource is a business associate of Davis Health System. An individual who was a patient in the Davis Health System contacts DataSource, requesting an accounting of disclosures and stating that this is her right per the HIPAA Privacy Rule. Datasource: a. Does not have to respond to the patient because it is not a covered entity b. May refer the request to Davis Health System c. Does not have to respond to the patient because this is not a HIPAA individual right d. Must respond to the patient and provide an accounting of disclosures
d. Must respond to the patient and provide an accounting of disclosures
does not identify an individual because personal characteristics have been stripped from it in such a way that it cannot be later constituted or combined to reidentify an individual - used in research
deidentified information
includes the health records, billing records, and various claims records that are used to make decisions about an individual - broader than legal health record because it contains more components than those that would ordinarily be produced upon request
designated record set
how health information is disseminated outside a healthcare organization - providing patient information to an insurance company
disclosure
pay for the cost of medical care - health insurance
health plans
process claims between a healthcare provider and payer - intermediary that processes a hospital's claim to Medicare to facilitate payment
healthcare clearinghouses
Those that conduct certain transactions (financial or administrative) electronically - include hospitals, long-term care facilities, physicians, and pharmacies
healthcare providers
the person who is the subject of the PHI
individual
the information must either identify the person or provide a reasonable basis to believe the person could be identified from the information
individually identifiable health information
powerful in assisting with the collection and analysis of data, so it is possible to identify individuals by combining specific data
information technology
ARRA has specified that without final clarification of minimum necessary, CEs are to use the
limited data set (PHI with certain specified direct identifiers removed)
requires that uses, disclosures, and requests be limited to only the amount needed to accomplish an intended purpose -does not apply to PHI used, disclosed, or requested for treatment, payment, or operation purposes
minimum necessary standard
Is mandatory public health reporting part of a CE's operations? - because of this answer, these must be included in the accounting of disclosures
no
does disclosure to a patient require patient authorization using the HIPAA authorization form?
no
does the Privacy Rule apply to every person and every organization?
no
is deidentified information protected by the HIPAA privacy rule?
no
A CE denies an individual access to PHI without providing him or her an opportunity to review or appeal a denial
no opportunity to review
is disclosure to a subpoena that is accompanied by a patient's written authorization subject to an accounting of disclosure?
no, because the authorization exempts the disclosure from the accounting of disclosure requirement
Does HIPAA permit retrieval fees to be charged to patients?
no, but they are permitted for non-patient requests
do requests for PHI have to be in writing?
not always, but some CEs require it
ARRA also included in the BA definition ____ ____ ____, which utilize information to improve the safety and quality of patient care; health information organizations (HIOs); e-prescribing gateways and persons who facilitate data transmissions; personal health record (PHR) vendors who, by contract, enable CEs to offer PHRs to their patients as part of the CE electronic health record
patient safety organizations (PSOs)
person who has legal authority to act on another's behalf - must be treated the same as an individual regarding use and disclosure of individual's PHI
personal representative
the legal doctrine of ____ means that federal law (for example, the HIPAA Privacy Rule) may supersede state law BUT the HIPAA Privacy Rule is only a federal floor, or minimum, privacy requirements so it does not preempt or supersede stricter state statutes (or other federal statutes
preemption
a social value and is the right "to be let alone"
privacy
either identifies an individual or provides a reasonable basis to believe the person could be identified from the information given - electronic, paper, or oral
protected health information (PHI)
what does the Privacy Rule protect?
protected health information (PHI)
behavioral notes that document a mental health professional's impressions from private counseling sessions - exception to the right of access
psychotherapy notes
allows an individual to inspect and obtain a copy of his/her own PHI contained within a designated record set, such as a health record - extends as long as the PHI is maintained, although the Privacy Rule does not require health records to be retained for a specified period
right of access
gives the individual the right to obtain his/her own PHI, or to direct a CE to transmit PHI about that individual to a third party without barriers or unreasonable delays - must be given in format requested or a hard copy or other format agreed upon
right of access
an individual's right to request that a CE restrict the uses and disclosures of PHU to carry out TPO
right of restrictions of PHI
an individual's right to receive an accounting of certain disclosures made by a CE
right to request accounting of disclosures
the right allowing one to request that a CE amend a PHI or a record about the individual in the designated record set
right to request amendment
individual's right to request that communications of PHI be routed to an alternative location or by an alternative method - can be denied if individual does not provide info on how payment will be handled or an alternative address or method by which he or she can be contacted - billing info for doctor sent to a woman's work instead of home
right to request confidential communications
laws protecting the privacy of health information vary significantly by
state
____ means that a state or federal statute provides an individual with greater privacy protections or gives greater rights with respect to their PHI
stricter
the PHI of deceased persons loses PHI status and is no longer protected by HIPAA after
the individual has been deceased more than 50 years
The Privacy Rule requires an accounting of all disclosures within
the six years prior to the date on which the accounting was requested
True or False: A BA's subcontractors are also BAs if they require access to an individual's PHI, regardless of whether an agreement has actually been signed - must comply with HIPAA
true
True or False: State laws supersede HIPAA if the state law is stricter - also known as preemption
true
True or false: Before HIPAA, no federal statutes or regulations generally protected the confidentiality of health information
true - patient privacy protection laws governing access, use, and disclosure largely resided with the individual states
how a healthcare organization avails itself of health information internally, such as a nurse reviewing a patient's health record
use
the accounting of disclosure requirement includes disclosures that are
written, oral, or electronic
do all requests for amendments, denials, the individual's statement of disagreement, and CE's rebuttal have to be appended or linked to the record or PHI subject to the amendment request?
yes
if a person or organization meets the definition of a BA, are they a BA?
yes they are a BA by law (even if the required agreement has not been signed) and are subject to penalties if they violate HIPAA