HIM: Ch 11 Slides
A valid authorization for disclosure of information is required for the following:
-Disclosure of PHI not permitted to be released without an authorization -Psychotherapy notes -Marketing -Sale of PHI
Use and Disclosure without Authorization
-For the purpose of treatment, payments, or healthcare operations (TPO) -Accounting of disclosures -De- identification -Expert determination method -Safe harbor method Re- identification
Biometric Authentication
Allows a user to be uniquely identified and access the system based on one or more biometric traits such as fingerprints, hand geometry, retinal pattern, or voice waves
Software criticality analysis
Assessing systems to determine how crucial the information in the system is to day-to-day healthcare operations and patient care
HIPAA Enforcement
Compliance *internal* Investigations *internal or external* Penalties for violations *internal or external* Procedures for hearings Corrective action plan (CAP) Civil monetary penalty (CMP) Reasonable cause Willful neglect
Emergency mode operation plan
Creates processes and procedures to support the continuation of critical business and patient care operations while protecting the security of ePHI in the event of a disaster
Expert determination method
Data elements that could identify an individual are removed from the data and then an expert, statistician, applies scientific methodology to determine the likelihood of identification of the individual
Data at rest
Data is in storage within a database or on a server where it is no longer being used or accessed
Confidentiality
Data or information is not made available or disclosed to unauthorized people
Disaster recovery plan
Defines the processes for recovery of data in the event of a disaster
Is authorization needed for patient requests record be released to her daughter to support patient care
Depends on age of patient (13 years)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Ensures health insurance portability Establishes standards for electronic claims and national identifiers Protects against fraud and abuse Assures the privacy and security of protected health information (PHI)
Logic bombs
Malware that will execute a program or a string of code, when a certain event happens.
A healthcare organization send medical records to the insurance company for payment of services
No authorization
Is authorization needed for patient does not want his/her name in the patient directory
Oral Authorization Needed
Data backup plan
Organizations must create and store exact copies of electronic protected health information Defines how the system is being backed up, the method of backing up the data, location of the backup, frequency of the backup, and testing of the backup
Privacy Rule
Organizations must implement policies and procedures to address each standard and a process to ensure that they are being followed
Challenges of Privacy and Security in HIE
Patient identity/patient matching Consumer privacy/patient rights
Security
Physical and electronic protection of information
Contingency plan (disaster plan)
Prepares organizations for an event that may happen which could impact the ability to access patient information, the integrity of the information, or the confidentiality of information
Elements of Protecting Patient Information
Privacy Confidentiality Security
Minimum neccessary
Privacy Rule standard that requires that a covered entity or business associate make reasonable efforts to limit PHI
Emergency access
Procedures for getting access to the necessary ePHI in the event of an emergency situation
Security Rule
Required vs. addressable standards Administrative safeguards Physical safeguards Technical safeguards Organizational safeguards
Best practices of Privacy and Security in HIE
Risk analysis Policies and procedures Dedicated individual or team Education of the workforce
Contrary
State law cannot be complied with when 1) covered entity determines that it is impossible to comply with federal and state privacy regs, 2) complance with the state law would create a barrier to compliance with the fed. regs.
d. all of the above, p 308
The Privacy Rule was established to a. protect the rights of healthcare consumers b. improve the efficiency and effectiveness of healthcare delivery c. improve the quality of healthcare d. all of the above
Privacy
The right of an individual to be let alone
Breach Notification Rule
Unauthorized uses and disclosures of PHI (private health information) at any time may be considered a breach; Requires covered entities and business associates to investigate/evaluate if a breach occurred using specific guidelines/protocols *Risk assessment
Examples of Data Security Methods
User authentication, Encryption, Decryption, Malicious software (malware) management
A lawyer requests a copy of a patient's medical records for a litigation
Written authorization
Providers office calls to retrieve emergency room records for a patient's follow up appointment
Written authorization
Trojan horse
a destructive piece of programming code hidden in another piece of programming code (a macro or email message) that looks harmless
The process of making sure the correct patient information is being used or disclosed is called a. Verification b. Confirmation c. Authentication d. Certification
a. Confirmation
A covered entity may use protected health information for whatever means deemed appropriate as long as they are the organization that created the protected health information. a. True b. False
a. False (????)p308
Protected health information can be information about a patient that refers to their past, present or future health and conditions. a. True b. False
a. False, Individually identifiable health information p307
A disclosure is the release, transfer, provision of access to, or divulging in any manner of information inside the organization. a. True b. False
a. True
Security is the means by which the privacy and confidentiality of information is maintained. a. True b. False
a. True, 306
If a state's privacy laws are more strict than HIPAA, the covered entity must follow the state law versus HIPAA. a. True b. False
a. True, 308
______ is an example of a biometric identification used for authentication. a. Voice recognition b. Plastic identification cards c. Advanced algorithm methods d. Personalized numeric pin
a. Voice recognition
The purpose of a notice of privacy practices is to inform patients of a. how a healthcare provider may use and share the patient's health information b. the cost of care c. the organization's mission and vision d. the facility's healthcare statistics
a. how a healthcare provider may use and share the patient's health information, p308
The Privacy Rule
allows the patient to agree or object to disclosure of PHI within the facility directory
Reidentification
an org. can apply a specific code, or other means, to the data for future identification purposes; however the specific code cannot be derived from any type of data elements that come from the patient's health info
Malware
any program that causes harm to systems by unauthorized access, unauthorized disclosure, destruction, or loss of integrity of any info
Addressable Standards
as amended by HITECH, the implementation specifications of the HIPPA Security Rule that are designated to "addressable" rather than "required"; covered entity must implement the specification as written, an alternative or document that the res does not apply to the organization or with negligiable probablility
For protected health information to be deidentified per the Safe Harbor Deidentification method, 16 data elements must be removed. a. True b. False
b. False, 18 data elements p316
______ is individually identifiable health information held or transmitted by a covered entity or business associate. a. Designated Record Set b. Protected Health Information (PHI) c. Disclosure List d. Directory Information
b. Protected Health Information (PHI), 307
The ______ requires organizations to implement policies and procedures to safeguard the facility and equipment from unauthorized access, tampering, and theft. a. Contingency Plan b. Security Plan c. Media and Device Controls d. Emergency Mode Operations Plan
b. Security Plan (?)
The HITECH-HIPAA Omnibus Privacy Act a. established the Privacy Rule b. was enacted in response to strengthen HITECH Act privacy and security requirements c. distinguished the difference between privacy, confidentiality, and security d. identified addressable standards for the Security Rule
b. was enacted in response to strengthen HITECH Act privacy and security requirements, 310
______ is text that is considered unreadable or unusable. a. Plaintext b. Cryptographic key c. Ciphertext d. Decryption
c. Ciphertext p327
When implementing a health information exchange, the following two areas were common gaps relating to privacy and security identified by HIMSS and AHIMA: a. Patient consent/authorization and PHI access audit trails b. PHI access audit trails and user authentication c. Patient consent/authorization and restriction of sensitive information d. Restriction of sensitive information and user authentication
c. Patient consent/authorization and restriction of sensitive information, p331
Standards that are mandated and must be implemented as written by the HIPAA Security Rule are called a. Addressable standards b. Terminology standards c. Required standards d. Privacy standards
c. Required standards p309
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was originally established to achieve all of the following except a. protect against fraud and abuse b. ensure health insurance continuity c. establish standard terminology for EHRs d. set standards for electronic claims
c. establish standard terminology for EHRs, p307
The Privacy and Security Rules require workforce training that a. is conducted face-to-face b. occurs only when an employee is hired c. includes general training, job specific training, and ongoing training d. covers the patient's responsibility in the security of their PHI
c. includes general training, job specific training, and ongoing training, p335
Virus
computer program, typically hidden, that attaches itself to other program (host) and has the ability to replicate and cause various forms of harm to the data
Criticality Analysis
consist of evaluating each of the different systems in the or. to determine how crucial the information in the system is to day-to-day healthcare operations and patient care
A patient has the right to request a(n) ______, which describes where the covered entity has disclosed patient information for the past 6 years outside of treatment, payment, and healthcare operations. a. Disclosure List b. Designated Record Set c. Amendment of Medical Record d. Accounting of Disclosures
d. Accounting of Disclosures, p316
A part of the policy and procedure that should be created to manage access to a health information exchange should address which of the following? a. Termination of user access b. User access establishment c. Patient consent process d. All of the above
d. All of the above p330-331
The following should be established when allowing workforce members to use mobile devices to get access to PHI a. Mobile device policies and procedures b. Procedures for reporting lost or stolen devices c. Acceptable behaviors and use of ePHI on mobile technology d. All of the above
d. All of the above, 332-333
The Security Rule specifies ______ that must be in place to protect information systems, buildings, and equipment from natural and environmental hazards. a. Technical safeguards b. Organizational safeguards c. Administrative safeguards d. Physical safeguards
d. Physical safeguards, p309
Malware programs that reproduce on their own that have no need for a host application are ______. a. Logic bombs b. Rootkits c. Viruses d. Worms
d. worms p328
Data in Motion
data that are in the process of being transmitted from one location to another location such as an e-mail
Compound Authorization
defined by HIPAA, authorization cannot be extended to include other documents except in clearly defined instances (ie disclosure of PHI for research study can extend to another study)
Designated record set (DRS)
defined by HITEC, group of records maintained by or for a covered entity that is 1) medical records and billing records about individuals 2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan 3) used by or for the covered entity to make decisions about individuals
Covered entiity
defined by HITECH, 1) a health plan 2) a healthcare clearing house 3) healthcare provider who transmits any health information in eforms in connection with a transaction covered
Reasonable cause
defined by HITECH, an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associated did not act with willful neglect
Willful neglect
defined by HITECH, conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated
Authorization
defined by HITECH, covered entity may not use or disclose protected health information without an authorization that is valid
Breach
defined by HITECH, the acquisition, access, use, or discolsure of PHI in a manner not permitted under secuity or privacy rules
Required Standards
defined by HITECH, under Security Rule are implementation specifications which are detailed instructions for implementing a particular standard.
Transfer the risk
outsourcing or insuring the risk against any potential loss to the org.
Bring your own device
personal devices that are allowed to be used within a healthcare organization and interact with electronic protected health information (ePHI)
Stringent
refers to state laws, if state laws exceed federal law standards
Breach Notification Rule
requires covered entities to establish policies and procedures to investigate an unauthorized use or disclosure of PHI to determine if a breach occured and to notify affected individuals and the Dept. of HHS
Residual Risk
risk that remains after no additional controls are implemented
Assessment
systematic collection and review of information pertaining to an individual who wants to receive helathcare services or enter a healthcare setting
Deidentification
the act of removing from a health record or data set any information that could be used to identify the individual to whom the data apply in order to protect his or her confidentiality
Worm
type of computer virus, usually transferred from computer to computer via e-mail, that can replicate itself and use memory but cannot attach itself to other programs (ie, host)
Rootkit
type of malicious software that will remotely access or control a computer without being detected by users or security programs