HIPAA Quiz
more sensitive info
mental health situations, addiction and substance abuse, HIV/AIDS status, pregnancy, and genetic information
legal guardian
need court documents, make a copy and put in patient's file, appropriate and necessary?
de-identified information
not protected and include state in which patient resides, partial zip code if large region, year of birth, year of death cautious not to link to person
Security in HIPAA
safeguards that covered entities and business associates must implement to protect confidentiality, integrity, and availability of electronic PHI
Three rules of HIPAA
Privacy Security Breach Notification
Can you borrow your preceptor's password for the EMAR for the day?
NO, don't give it out, and don't write it down where others can find
One of your close friends and classmates was on rotation during their APPEs at the same pharmacy you are currently finishing your rotation. He became close to a patient who was diagnosed with cancer. He asks you how the patient is doing when you are together during class. Is it okay to tell him?
No
What was HIPAA designed to do?
Set national privacy standards for when a patient's protected health information can be used and disclosed, Allow for easier access by patients to receive care seamlessly among various providers while having protections, and Set standards and requirements for the security of electronic transmission of health information
patient's birth year
de-identified PHI
HIPAA-covered entity
healthcare provider, health plan, health insurer, healthcare clearinghouse, business associate of covered entity. all in relation to the provision of healthcare or payment for healthcare services
can notify family/friends involved in patient's care
patient's general condition, location, ready for discharge, death
Violations of HIPAA are Grounds for Discipline
professionally incompetent, may create danger to patient's life, health, safety., biolate federal/state laws
PHI can be released without patient authorization for
public health situations, sale, transfer, or merger of a covered entity or business associate, contracted business associate, patient based on request, when required by law, legal subpoena/court order, comply with worker's compensation, avoid serious threats to safety, DEA or Board inspectors
Disclosures
release PHI to someone (attorney, patient, faxing)
marketing
requires authorization by patient
PHI examples
Health records, health histories, lab test results, medical bills, medication profiles, and medication labeling, names, dates except year, telephone numbers, geographic data, fax numbers, SSN, email addresses, medical record numbers, account numbers, genetic information, health plan beneficiary, certificate/license numbers, vehicle identifiers, Web URLs, device identifiers + serial numbers
power of attorney?
depends, Designated Agent rights to access care, treatment and payment information are not effective until the patient is declared incapacitated by two physicians or one physician and one therapist declaration of incapacity form submitted prior to honoring a request
patient authorizations should contain
description of the information to be used/disclosed, name of the individuals or entities who are giving and receiving the info, purpose of the disclosure, an expiration date for use, and needs to be a separate, individually signed document
Organization must
designate a privacy officer develop sanctions for non-compliance notice of privacy practices, train those in direct contact with PHI
PHI can refer to all of the following
electronic, paper, verbal individual's past, present, and future physical or mental health or condition, provision of health care to the individual the past, present, or future payment for the provision of health care to the individual
psychotherapy notes
extremely sensitive, not required or useful for treatment/payment. patient authorization for need for disclosing for any reason meds, med treatment plans, diagnosis, symptoms, progress
business associates liable as a covered entity
fail to disclose PHI to US Department of HHS, comply with requests, establish agreements, report a breach, comply with minimum necessary requirements, provide accounting of disclosures
NOT considered marketing
refill reminders, product coverage and formulary placement, product substitutions, treatment recommendations that are patient specific, drug utilization review, general health info like how to care for diabetes, lower blood pressure and other disease state managements
Breach Notification
requires covered entities to notify affected individuals, Department of Health and Human Services, and the media of unsecured PHI breach
Uses
review or use PHI internally
Privacy in HIPAA
sets national standards for when PHI may be used/disclosed
can you look yourself up at a hospital/office if you're the patient?
CEI says this is NOT a HIPAA violation. Rotation manual says it is.
Which is true with regard to electronic message of patient information?
CMS allows texting of patient information on a secured platform but not for patient orders
Why is Privacy Important?
Code of ethics, gift of trust, maintain that trust, serve the patient in a private and confidential manner
The Health Insurance Portability and Accountability Act of 1996 was designed to do all of the following EXCEPT:
Create a framework for protecting genetic information so it is not used to discriminate in determining treatment
student takes paper copies and puts them in their car, someone breaks in and steals
Don't take PHI home with you, if granted access, may be able to get remote access to EMAR, deidentify patient if need to take home for case presentation
Why is Privacy Important?
Ethics, Hippocratic Oath, and Oath of a Pharmacist- protect all information entrusted, hold to the highest principles of moral, ethical, and legal conduct
Which of the following are examples of Protected Health Information (PHI)?
Patient's Name Patient's Date of Birth Patient's Medication List (all of the above)
True or false: The "minimum necessary" requirement of HIPAA refers to using or disclosing/releasing only the minimum PHI necessary to accomplish the purpose of use, disclosure or request.
True
PHI
any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity
Who does NOT have to provide a privacy notice, follow admin requirements, or patients' access rights?
business associates
Can you share about a psych patient that shot a family?
students can discuss patient cases but should deidentify the patients unless taking care of them on same rotation. DONT dicsuss RARE cases like psychotherapy notes, HIV status, or substance abuse