"HIPAA"

¡Supera tus tareas y exámenes ahora con Quizwiz!

So what is the point of HIPAA

-Makes it easier and more affordable for pele to obtain health insurance -Prohibits group health plans from denying or charging extra for coverage bc of persons past or present poor health -standardizes claims submitted electronically

Your patient has moved to another section of the hospital. May you access his record in order to follow his progress

-No (because they are now out of your care. You may go visit or inquire about patient but you cannot look at his records)

The privacy rule allows providers to disclose pt info only to

-Provide care -Arrange for payment from insurer -Allow pt to find out info disclosed -Allow pt to inspect & obtain a copy of the medical records

Transactions Can Occur Between...

-Provider to Health Plan directly -Through Provider Clearinghouse -Through Health Plan Clearinghouse -Between Clearinghouses -With a single Clearinghouse

What is Protected Health Information

-any info about past or present health status, provision of health care, or payment for health care that can be linked to a specific individual *Info that is pertinent

HIPAA Security Standards

-assigned security responsibility -controls over physical media -policy over workstation use -physical access controls -secure workstation location -security awareness training -passwords/authentication -disaster recovery procedures -network protection -audit trails

Name some examples of physical safeguards

-control access to records (limited access files) -policies for workstation use

HIPSA

...

What are two ways to de-identify information

1) A formal determination by a qualified statistician 2) Removing specified identifiers of the individual and of the individual's relatives, household members, and employers.

What year was HIPAA privacy standards established to protect personal health information?

2003

When did the privacy rule take effect

2003

When was the Security Rule issued

2003

privacy confidential use of PHI (for treatment, billing, etc) access (and amend their health) information provide specific authorization (for use of health info) name withheld (from patient directories) information (concerning their care) not be released (to specific people) (specific) people not told of presence (in a facility)

7 HIPAA patient rights

Minimum civil penalty for HIPAA violation due to reasonable cause and not due to willful neglect (REASONABLE CAUSE)

$1,000 per violation, with an annual maximum of $100,000 for repeat violations

Minimum civil penalty for HIPAA violation due to willful neglect but violation is corrected within the required time period (WILLFUL NEGLECT with correction)

$10,000 per violation, with an annual maximum of $250,000 for repeat violations

Minimum civil penalty for HIPAA violation in which individuals did not know they were violating HIPAA (IGNORANCE)

$100 per violation, with an annual maximum of $25,000 for repeat violations

Anyone caught selling private heatlh care information can be fined up to:

$250,000 and 10 years

Penalties for selling, transferring, or using for profit or malicious harm

$250,000 and or up or 10 years in prison

inappropriate discloser

$50 fine and/or year in prison

Penalties for knowing misuse

$50,000 and/or up to 1 year in prison

Maximum civil penalty for all types of HIPAA violations

$50,000 per violation, with an annual maximum of $1.5 million

Minimum civil penalty for HIPAA violation due to willful neglect and is not corrected (WILLFUL NEGLECT without correction)

$50,000 per violation, with an annual maximum of $1.5 million

Maximum criminal penalty for violations involving false pretenses

A $100,000 fine, with up to five years in prison

Health Care Common Procedure Code Systems (HCPCS)

A classification system for medical procedures, services, and supplies. It was set up to give providers a coding system that describes specific products, supplies, and services patients receive that are not in CPT.

Which of the following are health care providers

B: chiropractors, ophthalmologist and hospital

Business Assocate

BA. Any person or organization that's not part of a CE's workforce, who works for aCE and is exposed to PHI. Examples would be medical labs and transcriptionists. Special contracts must be signed with CE's that hold them to similar legal standards as CE's under HIPAA

One good rule to prevent unauthorized access to computer data is:

Black the screen or turn off the computer when you leave it

HIPAA Privacy rule CE bill___

C-CE safeguard of patient record

Department of Justice

Government agency that investigates the most serious violations of the Privacy Rule

Medical coverage offered b an employer to an employee is a

Group Health Plan

What security standards describe how electronic PHI must be safeguarded?

HIPAA

What guidelines has HIPAA established further for Mobile and Media devices?

HIPAA Security Guidance for Remote use of and Access to Electronic Protected Health Information

3

HIPAA governs how many types of covered entitities.

Confidentiality issues

All patient information must be kept confidential and shared only with the appropriate staff involved in the care of the patient.

business associates

HIPPA also applies to ____ ____ -- a person or entity that uses/performs an activity that involves the use of PHI while providing services to a covered entity

Business Associate

An individual or organization that provided business services to a CE and agrees to protect their patient health information

Protected Health Information PHI

Any piece of information that identifies or could be used to identify a specific individual

HIPAA Compliance required

April 2003

Malpractice claims

Are lawsuits by a patient against a physician for errors in diagnosis or treatment.

Negligence cases

Are those in which a person believes medical professional's actions, or lack thereof, caused harm to the patient.

Unique Identifiers Rule

As of 2007, health care providers must have a national provider identifier (NPI) whenever submitting information *everyone filing for Medicare MUST have an NPI number

You are a hospital employee who is looking for your friend that is a patient, how should you find out what room she is in?

Ask at the nurse's station or information desk what her room number is

To confirm appts or leave a message on VM or text you should

Ask in advance it you are allowed to do so

What year was HIPAA invented?

August 21, 1996

tech issue of HIPAA addresses___

B-access to ePHI

Omnibus Final Rule

Harm threshold replaced with burden of proving "low probability that PHI has been compromised".

What does HITECH Act stand for?

Health Information Technology for Economic and Clinical Health Act

HIPAA

Health Insurance Portability and Accountability Act

What does HIPAA stand for?

Health Insurance Portability and Accountability Act of 1996

What is HIPAA

Health Insurance Portability and Accountability Act of 1996

What is the "Need to Know Principle?"

Is the info necessary for your job function? How much info do you need? How much do other people need to know?

What must the Notice of Privacy Practices must be placed where?

It must be posted in a clearly visible and prominent location on-site, on the CE website, made available on request.

An example of indirect provider is___

Laboratory

Who is responsible for enforcing the privacy regulations

U.S Department of. Health and Human Services

Confidentiality: The right to privacy as defined by the __________ and the __________.

U.S. Constitution American Red Cross Association

OSHA is apart of what division?

U.S. Department of Labor

happens when the HCW discloses pt. information to someone outside the HC team w/o authorization

Unauthorized Disclosure

Place of Service (POS)

Under HIPAA administrative code that indicates where medical services were provide.

National Provider Identifier (NPI)

Under HIPAA, a system for uniquely identifying all providers of health care services, supplies, and equipment.

I do not want my doctor calling me at home. What do I do?

Under the Privacy Rule, patients can request that their doctor's health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential. For example, a patient could ask a doctor to call his or her office rather than home, and the doctor's office should comply with that request if it can be reasonably accommodated.

What is the "Minimum Necessary" rule?

Utilization/release of info to the min. necessary to accomplish the intended purpose of the use, disclosure, or request

smt ppl make weird request

We don't necessary need to honor it.

Can you put a patient's name on hospital doors?

Yes-code team needs to be able to find the patient quickly

Subpoenas

_____ for court appearances and testimony can authorize disclosure of PHI.

computer storage media

_______ containing patient records should be completely wiped.

children

_______'s access to their own records is governed by state law

File rooms to be

Locked

Breach examples

Loss or theft of computer Mailing PHI to the wrong pt Leaving files and or computer available for others to see Leaving a voicemail with PHI for others to heat Sharing info with unauthorized person

What is the original goal of HIPAA?

Make it easier for pts to move from one health insurance plan to another

What is the minimum necessary rule

Makes reasonable efforts to limit the protected health info to the minimum necessary to accomplish the purposes of a use, disclosure, or request

Organized Health Care Arrangements

May or may not contract as one entity, chose to share PHI; each is separately liable

What records contain information about a patient's health over time?

Medical

Group Health Plan (GHP)

Medical insurance offered to employees and played for in part or in full by an employer.

PHI protects

Medical or dental condition Tx or diagnosis Payment for healthcare Any other ID info in record

In 1998, Department of Health and Human Services (HHS) directed to bring health programs in compliance with the Patients' Bill of Rights. What are those two programs?

Medicare and Medicaid

Minimum Necessary Rule

Must only disclose the bare minimum PHI necessary to do a particular job or task. However, for treatment we do not have to limit PHI to the minimum because as much info as possible is needed to treat the patient.

Never call patients on my cell phone

NEVER email/text the patients about their info

Are there different rules for private sector and public sector covered entities?

NO - The provisions of the Privacy Rule generally apply equally to private and public sector covered entities. For example, private hospitals and government run hospitals covered by the Privacy Rule have to comply with the full range of requirements.

Is the hospital prevented from sharing information with the patient's family without the patient's express consent?

NO -Under "the Privacy Rule, a health care provider may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual," the medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care.

What does OSHA stand for?

Occupational Safety and Health Administration

Breach occurs when

Occurs when PHI is acquired accessed used or disclosed in a way that HIPAA doesn't permit

Tier A of HIPAA

Offender did not know

Who enforces civil violations of HIPAA privacy standards?

Office for Civil Rights (OCR)

OCR

Office of Civil Rights

Who prosecutes fraud and abuse in the healthcare industry while overseeing Medicare and Medicaid?

Office of Inspector General (OIG)

Never leave computer files

Open

Electronic Medical Records (EMR)

Or Electronic Health Record (EHR or EMR) Collection of health information that is immediately electronically accessible by authorized companies.

Access to info have to honor TPO: Treatment Payment and Operation

Otherwise, we will be liable for our actions

Individually identifiable health information

PHI

protected health information

PHI

need to know principle

PHI could be shared with as few individual as needed to ensure patient care

Do NOT ever tell pts about their PHI on phone/text/mail or any types of social media

PHI example: leave a voicemail for Mr. Smith about his Heart surgery appointment => No! just appointment

ePHI

PHI that is stored or transmitted in electronic form.

protected medical information

PMI

If you are sending information via e-mail, security is best maintained with:

PW protection, encryption if it goes over internet, destroying printouts or placing in charts

Make sure you ask who else can hear what I am saying

Page patients only if you have their permission Don't announce names or specific info Use low voices Find a private place to discuss private info

Under HIPAA what must health care providers ensure is always maintained?

Patient Confidentiality

__________ Protects identifiable information being used to analyze patient safety events and improve patient safety

Patient Safety Rule

the _____________ Act ensures the patient has a voice in their end of life decisions

Patient Self Detirmination

Can patients access their medical records?

Patients generally should be able to see and obtain copies of their medical records AND request corrections if they identify errors and mistakes. The covered entities may charge patients for the cost of copying and sending the records.

30

Patients have a right to view and copy their PHI withing __ days of requesting it, either free or for a reasonable fee as per HIPAA regulations.

PHI

Patients have the right to be told how their _________ can be used.

Notice of Privacy Practices

Patients must sign an additional document stating that they have read and reviewed the providers _________.

Most important point about privacy rule

Patients want to know that info is not being shared

Health Care Provider

Person/organization who provides, bills for, and is paid for health care services Only covered if they transmit info electronically according to HIPAA rules

Who have increased controls over the way they manage and store patient information?

Pharmacies

HIPAA applies to

Photographs Radiographs Paper Spoken info Electronic (emails/fax)

Zero Tolerance

Polices which are being adapted in healthcare organization in regard to workforce members who violate the organization privacy policies.

who in health care organize and is responsible for location of HIPAA____

Privacy Officer

Administrative Requirements

Privacy Officer, prominent Notice of Privacy Practices, a policy/procedure for use/disclosure of PHI.

What is a major goal of the Privacy Rule

Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being

What are Pharmacy Technicians and pharmacists responsible for maintaining in order to protect PHI of patients?

Privacy Standards

What four main areas in the health industry was changed because of HIPAA?

Privacy of health information, Standards of electronic transactions of health information and claims, Security of electronic health information, National identifiers for the parties health care transactions.

security standard are enforce by the ___

CMS

Title I

COBRA is under this part of HIPAA

How did HIPAA get started

Came about after complaints to Congress "regarding sale of patients info" by the healthcare providers to companies that were using the patients info for marketing of supplies and services to private practices

What does CDC stand for?

Centers for Disease Control and Prevention

Penalty: Civil ($$$) or Criminal

Civil = 1 year cap and fined up to 1.5mil

Expressed contract

Clearly stated in written or spoken words.

Electronic Medical Records (EMR) Or Electronic Health Record (EHR or EMR)

Collection of health information that is immediately electronically accessible by authorized companies.

What did the OIG create?

Compliance Program Guidelines

What allows employees who are leaving a job to elect to continue their previous employer's health coverage for a limited time?

Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA)

Hybrid Entities

Covered entity that does both covered and non-covered functions (privacy rule restricted to certain parts of the entity)

"Right to a choice of health care providers," "Must be sufficient to assure access to appropriate high-quality health care," & "Includes the ability to see specialists if your medical care requires it" ARE ALL CONSIDERED TO BE WHICH PATIENT RIGHT?

RIGHT TO CHOOSE

What should every patient receive and sign?

Receive a Notice and be asked to sign an Authorization

The patients has the right to

Receive a copy of their personal health records Change incorrect or incomplete info Ask to be contacted regarding health info. via telephone, mail, and/or fax File a complaint

Uses and Disclosures

Referring to the use and disclosure of a patient's personal health information.

PHI

Refers to any patient information in any form that is created or received by a covered entity, relates to a patient's health condition in the past, present, or future, and identifies the patient.

PHI is disclosed when it is divulged in any way or when someone

Releases it Transfers it Provides it to someone Accesses it outside the dental practice

What are the actions that attribute to disclosure?

Releasing, Transferring, Providing Access, Divulging

What is owned by the patient or person who has a stake in the outcome?

Electronic Health Records (EHR)

List 4 breaches of confidentiality.

Rumors Talking in public areas Unauthorized Disclosure Computerized Information

A pt's confidential info includes:

SS number address age all related health information including allergies

What specifies how patient information is protected on computer networks, the Internet, the extranet, and disks and other storage media?

Security Rule

What is transforming information via an algorithm to make it unreadable to anyone who does not possess the decryption information required to read it?

Encryption

Notice of Privacy Practices (NPP)

A document stating the privacy policies and procedures of a covered entity. (CE)

Notice of Proposed Rule-Making (NPRM)

A document that describes and explains rules that federal Government proposes to adopt at some future date. Interested parties are invited to subscribe comments, which may then be used in developing a final regulation.

Deficit Reduction Act (DRA) of 2005

A federal law designed to reduce fraudulent claims. It encourages states to pass their own false claims acts.

Designated Record Set (DRS)

A group of medical records. For providers, it includes medical and billing records but not other items, such as lab tests. For a health plan, the designated record set includes enrollment, payment, claim decisions, and medical management systems of the plan.

Covered Entity (CE)

A health plan, a healthcare clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

Administrative Law Judge ( ALJ)

A judge who presides over complaint hearing in HHS and makes determinations of penalties.

Administrative Law Judge ALJ)

A judge who presides over complaint hearing in HHS and makes determinations of penalties.

When patient records are to be discarded, they should be destroyed by whom?

A licensed, bonded company

Claim Adjustment Reason Codes (RC)

A national administrative code set that identifies the reasons for any differences, or adjustments, between the original provider charge for a claim or service and the payer's payment for it.

Content Standard

Specifies both the data elements that may be transmitted as part of a transaction and how these elements should be coded

Format Standard

Specifies the way elements must be formatted when they are transmitted

Authorization

Statement needed to release PHI for reasons other than treatment, payment of healthcare operation

What are Treatment, payment, and healthcare operations referred to as?

TPHCO

Administrative Safeguards

Technical safeguard,s organization safeguards, policies and procedures, documentation, requirements and physical safeguards to protect the privacy of PHI

Designated record set

a group of medical records that includes a provider's medical and billing records

Authenication

a person or system is who they purpose to be. (ID)

privacy official

a person responsible for all activities related to the development, implementation, and modification of activities involving the privacy of and access to PHI as required by federal, state, local, and organizational regulations and policies. The privacy official assists staff when requests are made for information and receives complaints.

Qualified protected order

an order of the court that prohibits parties from using protected health information for any purpose other than litigation or proceeding for which the PHI has been requested.

Treatment. Payment

and health care operations (TPO), Under HIPAA, the rule that patient's protected health information may be shared without authorization for the purposes of treatment, payment, and operations.

PHI

any data that identifies: name, MR#, SSN, diagnosis, lab result, past/present photos, relatives' names, employer DOB

Who is a covered entity

any health care provider (regardless of size) who electronically transmits health information in connection with transactions

PHI

any piece of information that identifies or could be used to identify any specific individual

patient may revoke authorization at___

anytime

Privacy Rule

applies to all healthcare providers, healthcare clearinghouses and healthcare plans

What are security rules?

apply to PHI that is sent electronically; these rules govern PHI that is being transmitted, used, or stored in electronic format

manage, store

as a result of the privacy rule of 2003, pharmacies have direct control over the way they ______ and ______ patients information.

tiered system

look to ____ ____ (consequences) for those that violate HIPPA -- 4 tiers

Confidentiality applies to both to ________ and _________ information learned during the course of exams/hospitalization.

medical personal

victim (domestic violence, abuse, neglect by parent/guardian) emancipated seeking treatment (family planning, psychiatric counseling, substance abuse)

minor given permission first and cannot disclose PHI to parent/guardian if

Fax machines

not considered electronic communications, fall under written rules

NOPP

notice of privacy practices

NPI mandate for use__

now

What do patients have the right to do?

register complaints with federal agencies and with the facility if they feel their rights have been violated

Consent

required under some states' laws but not by HIPAA, authorizes the CE to disclose the individual's PHI to carry out TPO. You should check with your privacy official to determine whether the state you are working in requires consent

HITECH law: *TQ- will be on the FINAL

smth about Mean for you

physical security/workstation

disaster control, physical access control and device and media control

What is DNR?

do not resuscitate

Encounter

form of documentation that is undertaken for every visit is also known as an ______, visits to healthcare providers are documented thoroughly.

office of civil rights

government agency that accepts and investigates complaints related to the Privacy Rule, it enforces civil violations of HIPAA privacy standards,

PHI

health information that relates to a past, present, or future physical or mental health condition.

3 covered entities

health insurance plans, health care providers and clearinghouses

talk to instructor

if ever in doubt about what info may be given out

Medical should be retained for ____

indefinitely

Required Disclosures

individuals or their personal reps. HHS for purposes of a compliance investigation, review or enforcement action.

Disclosure

the release, transfer, or sharing of health information with another individual or entity outside the healthcare organization holding this information

What is res ipsa loquitur?

the thing speaks for itself

Title I

this part of HIPAA focuses on continuation of health insurance coverage and insurance reform

What did HIPAA call DHH for?

to: • Standardize electronic patient health, administrative and financial data • Insure unique health identifiers for individuals, employers, health plans and health care providers • Insure security, confidentiality, integrity of PHI

Authorized use of info

treatment billing healthcare operations

Discussion of patient records should occur in private only, NOT in elevators, hallways, waiting areas, parking lots...

true

privacy rule

under this rule, information belongs to the patients, and they have the right to control who is able to view it. it applies to healthcare providers, health insurance plans, and clearing houses.

HIPAA Penalties

-$100 per violation, $25,000 cap -Criminal penalties (1-10 years based on intent)

Under HIPPA a health care plan can look back for pre-existing conditions up to____

6 month

Authorization

Allows use of PHI for any purposes other than TPO

HITECH act

American recovery and reinvestment act of 2009 signed into law enhanced and expanded HIPPA privacy and security rules penalties for violating one's privacy

When did HIPAA become effective

April 2003

What are the goals of ePHI?

Availability, Confidentiality, and Integrity of the information

What is the privacy rule of HIPAA?

-federal standard for PHI protection -preserve quality health care -assure security, privacy and confidentiality

COBRA requires ____

C

Privacy officer must be ___

C

What does the notice give patients?

-info about their rights -a description of how their PHI may be used by the facility -a comprehensive list of others to whom their health information may be disclosed

When referring to PHI, what must you avoid

-names, geographic identifiers, dates related to individual, phone #s, email addresses, social security numbers, medical record #s, etc

What are privacy rule required activities?

-notification -implementation -training -privacy official -security

Penalties for misuse under false pretenses

$100,000 and or up to 5 years in prison

Leaving voicemails

* Do not mention diagnosis or planned treatment! * Do not mention specifics "the Root Canal clinic" * It is OK to confirm an appointment date and time

Ex 2: a nice, sweet lady ask in a very soft voice and ask for Bob's prob

*IMP* Tell her: sure, let's wait until Bob is finish w/ his Tx and have him list you on the Friends and Family info release section. I will be here all day and explain to you everything you want to know

Medicare and Medicaid wil require plans to provide critical information and allow patients to compare information about health care -- this is called __________?

Information disclosure

Notice of privacy practices

Informed patients on their rights of privacy.

Negligence

Is used to describe actions of a practitioners fail to excercise ordinary care resulting in patient injury.

Patient consent

It is the written permission from individuals to use and disclose their PHI for purposes of providing treatment, obtaining payment, and conducting healthcare operations.

ICD-9-CM International Classification of Diseases

Ninth Revision, Clinical Modification., Mandatory code set used by the United States. It provides rules for selecting and sequencing diagnosis codes in both the inpatient and the outpatient environments.

What do providers use to explain to patients how their PHI may be used and disclosed?

Notice of Privacy Practices (NOPP)

PHI

Personal Health Information

Operations

Providers are allowed to share information in order to conduct normal business activities.

Tier B of HIPAA

Reasonable cause and not willful neglect

Release of Information (ROI)

Release of information (ROI) of a patient's information.

Right to review and copy your own medical records & Right to request amendments to your own medical records are CONSIDERED TO BE WHICH PATIENT RIGHT?

Right to Privacy

Transaction Standards

Standards that support the uniform format and sequence of data during transmission from one healthcare entity to another

If state laws are more strict, which law applies

State

What is children's access to their own records governed by?

State Law

What regulates many types of health insurance?

State Law

What is the history of HIPAA?

The US federal government passed a law in 1996 that created national standard to protect patient medical records and other personal health information

Under HIPAA

The individual has the right to inspect a copy of his or her health record

Retaliation

The privacy rule prohibits acts of revenge know as _________, against any person filing a complaint about a privacy violation.

Patients have the right to receive accurate, easily understood information to assist them in making informed decisions about their health plans, facilities and professionals is which Basic Patient Right?

The right to information

Title II

The rules in this part of HIPAA cover administrative, financial, and case management policies and procedures. It contains strict requirements for the uniform transfer rules of patient confidentiality.

**About de-identified PHI

There are no restrictions on the use or disclosure of de-identified health information.

State laws

These types of law regulatesmany types of health insurance

What are the two main sections of the law?

Title 1: Health Care Portability Title 2: Privacy Rule

What are the primary goals of HIPAA?

To improve the portability and continuity of healthcare coverage

What is a transaction

Transactions = claims, benefit eligibility inquiries, referral authorizations, etc.

Health Care Clearinghouse

Translates data content or format for another entity from non-standard transaction formats to standard format

TPO

Treatment Payment Operations

There must now be a system in place to record the name of every person that views a patients records

True

True/False The difference in length of time allow in compliance for small health plan and large health plan

True

True/False There are no restrictions of de-identified health information

True

who regulates HIPAA___

U.S. government

Treatment. Payment, and health care operations (TPO)

Under HIPAA, the rule that patient's protected health information may be shared without authorization for the purposes of treatment, payment, and operations.

Criminal penalties

When an individual violates HIPAA for knowing or wrongful misuse of individuals health info

In general, information about a patient can be shared:

When it is directly related to treatment

Validated

When protected health information PHI is being used or disclosed for reasons other than treatment, payment, or healthcare operations, the authorization for the release of the PHI must be....

When can you disclose relevant info? (3)

When the patient agrees, gives patient opportunity to object and they do not, when the physician decides based on professional judgement that the patient doesn't object.

judicial

_____ orders can override a patients preferences regarding the release of PHI.

HIPAA is ________ driven

Complain driven

How must computer storage media be discarded?

Completely Wiped

Authorization

Consent given after patient education given

Passwords

Do not reveal your password to anyone and don't post it near computer

Examples of privacy safeguards

Door locks Cabinet locks Procedures for handling charts and computer screens Alarm systems Policies about who is permitted to access PHI

"Minimum necessary"

a concept of the Privacy Rule under which CEs are required to implement reasonable policies and procedures for workforce member to limit their use and disclosure of PHI to the minimum necessary to accomplish the intended purpose.

Security:

ability to control access to and protect info

What are HIPAA requirements for security

administrative physical technical

EDI

Electronic Data Interchange

What are often confused with EMRs?

Electronic Health Records (EHR)

What is owned by the delivery organization?

Electronic Medical Records (EMR)

What may also be shared between authorized healthcare professionals more easily than paper records?

Electronic Medical Records (EMR)

What record system is not really interactive with the patient?

Electronic Medical Records (EMR)

What do HIPAA security standards focus on?

Electronic PHI (Protected Health Information)

The set of rules that provide admin. simplification by standardizing the codes and formats used for the exchange of data is referred to as:

Electronic Transaction Record

Required to train health care workers

Employer

ERISA

Employer offered health plans are regulated by this Act of 1974

Rule 1: Don't ask for more info than you need

Ex:

Info sys activity review:

Extremely Imp especially in case of Audit

HIPAA mandates the creation of unique identifier code for every patient

False

The general privacy rule now states that every effort must be made to notify patients of the institutions privacy policy and to obtain written acknowledgement of this

False

The issue of portability deals with protecting coverage for employees who change jobs.

False

Who regulates HIPAA

Federal and state regulated

The right to privacy gives birth to what organization?

Health Insurance Portability and Accountability Act

What does HIPAA stand for?

Health Insurance Portability and Accountability Act

What is Title I of HIPAA called?

Health Insurance Reform

HIPAA_defined code sets that serve as standards for all electronic data interchange include:

ICDM-10, CPT, ANSI X12N Not ID ANSI

information technology

IT department

Why is it important to only talk about patient information in private areas?

If someone that isn't taking care of the patient hears it, it would be a HIPAA violation.

EDI

electronic data interchange

What is respondeat superior?

healthcare facility responsible for employees during the course of employment

another term for HIPAA

public law 104-191

which of the following is the violation of the sarbanes-oxley act____

punishing a whistle blower

self referrals

referring patients to an entity in which the referrer receives some monetary compensation

Information "disclosure"

release outside of organization.

emailing PHI

secure encrypted, remove PHI from response, do nor forward from secure to non secure account, remind pts note to send PHI by email, cut and paste in word doc, cut and paste in word doc. password protect file, call recipient with password, send in a separate email

minimum standards

set forth ____ ____ of basic privacy protection

disclosure

sharing information outside the entity

4 ways the law has changed the way business is conducted in the health care industry

standards for privacy, standards for electronic transactions, standards for security and standards for unique national identifiers

You can reveal medical information needed for research if

the patient authorizes it

electronic health records

the records rely on EMRs to be in place

Administrative code sets

these are non-medical code sets. used for administrative information and include simple and complex codes

Risk Analysis

what risks we have

What are the components of HIPAA

-Title 1: Access, Portability and Renewability *Intended to protect workers and their families when they change jobs & limits restrictions that group health can place on preexisting condition -Title II: Administrative Simplification *Penalties for privacy violations & control against fraud and abuse (arising from electronic sharing of personal information)

Confidentiality Issues

All patient information must be kept confidential and shared only with the appropriate staff involved in the care of the patient.

True/False An NPI will change every year

False

Always use info from medical records only

For the TX of pt

privacy rule

Guideline under HIPAA that sets national standards for the protection of health information

Malpractice

Is the negligent delivery of professional services.

What are pharmacy technicians not authorized to make decisions about for the patient?

Medication Decisions

Who has the right to view and copy their PHI within 30 days of requesting it, with free or for a reasonable fee as per HIPAA regulations?

Patients

False

True/False. medical records cannot be considered legal documents so accuracy is not very vital when documenting that appropriate medical care has been given to each patient.

One exception to confidentiality is

a minor that is pregnant

security rule

ability to control access to protect PHI

Health Information

any information, whether oral or recorded in any form.

Cryptography is the ___

encoding of a message

Office of civil rights

government agent that accepts and investigates complaints related to the Privacy Rule

How long can preexisting condition last?

may not last for more than 12 months (18 months for late enrollment)

OHS

office of hipaa standards

What is included in health information?

▫ Demographics, that identifies or can be used to identify a person ▫ Health condition ▫ Name ▫ Treatment ▫ Payment

If breach happens

-if this happens REPORT IMMEDIATELY IN WRITING to the designated person in the office

What is the IRB

-institutional review board: an appropriately constituted group that has been formally designated to review and monitor biomedical research involving human subjects

Consent Must Contain

-plain language -anticipated uses and disclosures -right to request restrictions -right to revoke consent -date/signature -mention of notice of privacy practice

Administrative Requirements of HIPAA

-policies/procedures -safeguards (protect PHI) -mitigation -workforce training -employee sanctions -personnel designations -complaint process -documentation for 6 years

PHI Exceptions

-public health -FDA medical device malfunction -criminal investigations -mandated reporting of abuse -suspicious deaths/injuries -health oversight; disciplinary action -worker's comp -emergency

What are the elements to prove malpractice?

1. breach of the accepted standard of care 2. causation 3. damages

Implied contract

Actions or conducts of the parties, rather than words.

final enforcement rule

HIPAA rule of 2006 that clarified that both acts and omissions may constitute violations

Electronic

HIPAA security standards focus on what kinds of PHI.

HIPAA Electronic Health Care Transactions and Code Sets (TCS)

HIPAA standards governing the electronic exchange of health information using standard formats and standard code sets

Current Dental Terminology (CDT)

HIPAA-mandated code set for procedures performed in a dental office.

health care provider id

NPO- national provider identifier

What is Title II of HIPAA called?

Administrative Simplification

Who participates in the protection of patient records?

All Healthcare Professionals

Intentional Torts

Assualt, invasion of privacy, defamination of character, battery, fraud, false imprisonment.

National security

Entities that may have access to PHI generally any time they request it.

...

Guideline under HIPAA that sets national standards for the protection of health information

Notice of privacy practices aka

HIPAA form

What is DNR/CC Arrest?

all needed tx until heart stops

security incident

attempted or successful unauthorized access, use, disclosure, modification or destruction of PHI

Title II

controls the private health information of individuals. It is known as administrative simplification.

The proliferation of computers in medicine has:

created new dangers for breaches of confidentiality

Can one doctor's office send the medical records of a patient to another doctor's office without that patient's consent?

YES - NO CONSENT IS NECESSARY for one doctor's office to transfer a patient's medical records to another doctor's office for treatment purposes.

What does durable mean?

means person remain in control until patient dies or a court removes the person

What does HIPAA provide?

national floor

Notice of privacy practices

paperwork given to client's explaining your policies & procedures

Facilities will no longer be able to post ______ anyplae where visitors might see them. This includes door tags and whiteboards at nurse's stations that are in public view:

patients full names

employer id

ein-employer identification number

What does stand for CIA?

ensure the confidentiality, integrity and availability of all ePHI

What are covered entities?

health care providers who transmit health information electronically

kickbacks

incentive given to those who defraud others

incidental disclosures

incidental release of confidential information

IIHI

individually identifiable health information

disclosure

information released to an outside entity whether by email, fax, verbally, or in writing.

____________________ is when patient agrees to the proposed course of treatment after having been told about the possible consequences of having or not having the procedure or treatments.

informed consent

patients have the right to

inspect and obtain copies of their PHI produced during psychotherapy

office for civil rights

investigates complaints

True/False Title one cover administration simplification

False

True/False You should feel comfortable for sharing password even if physician gives you the password

False

True/False Patients has the right to request restrictions on use of PHI

True

True/False Rule for release of information do not cover court order by CE

True

True/False State Law requires that physicians must report of certain disease

True

which of the following is violation of the privacy rule___

c

Chart

...

CDT-4

code set used for dental services

PHI

Protected Health Information

What are the three advanced directives?

• Living Will • Durable Power of Attorney • Do Not Resuscitate Order

What is the Living Will?

A will in which the patient requests not to be kept alive by medical life-support systems in the event of a terminal illness

True/False CE may not charge for patient copy of medical records

False

Protected Health Information Includes

Name/dates/phone/email/SSN/Account numbers/medical record numbers/ vehicle information/IP address/ biometric identifiers/full face images/any other identifying information

Unintentional Torts

Negligence, malpractice.

Must all healthcare providers adhear to the Patients' Bill of rights?

No, only medicare and medicaid

PHI stands for

Protected Health Information

Confidentiality

The practice of permitting only certain authorized individuals to access info with the understanding that they will disclose it only to other authorized individuals

Assualt

To cause another person to feel threatened.

If the use of patient information does not fall under TPHCO what must be obtained before the information can be shared with anyone?

Written authorization

contingency plan

backup and recovery plan required

NDC

code set used for drug products

Firewalls and paswords helps protect

e-mails and electronic transmissions

What is Electronic Protected Health Information also referred to as?

ePHI

What records may be stored in computers and related peripheral devise, and transmitter over computer networks, over the Internet, and on removable media that interfaces with computers?

ePHI

ePHI

electronic Protected Health Information

What programs came together to create medicare and medicade?

"Patients' Bill of Rights and Responsibilities" & Department of Health and Human Services (HHS)

What are the key elements to the privacy rule?

-covered entities -transaction standards -practice, purpose, requirements -compliance and enforcement -research -clinical application

What must be protected by healthcare personnel, including pharmacy technicians, who must know which types of information they can release?

Access to Medical Records

HIPAA

Act of 1996 that deals with the patients right to preserve privacy

False Claims Act

Act that prohibits false claims and misrepresentations, and rewards "whistle-blowers" who alert the government to cases of fraud.

____________ are the expression of a patient's decisions regarding end of life issues.

Advanced Directives

HITECH Act

Breach Notification introduced to HCPs.

A law firm that does business with a health care is called an ____

Business Associate

HIPAA rules apply to____

C: workers, provider, and insurer

Who develop Universal Precautions and Standard Precautions?

CDC

The key standard of practice for interpreters related to HIPAA

CONFIDENTIALITY, through HIPAA's Privacy Rule, which regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities," and its Security Rule, which deals with electronic information

•minor is victim of domestic violence, abuse, or neglect by parent/guardian •minor is emancipated •is minor is seeking treatment for family planning, psychiatric counseling, or substance abuse

Cannot disclose to a parent/guardian if:

Health providers responsibility regarding confidentiality

Comply with protocols Provide "notice of privacy practices (NPP) document

What in general, is the patient's ethical right to privacy and is protected by law?

Confidentiality

What does HIPAA recommend the inclusion of, an instruction that anyone who receives the communication in error should immediately contact the sender and destroy the information received?

Confidentiality Notice

May a pharmacist disclose to a treating physician that a patient is a receiving a prescription drug for the treatment of substance abuse?

Depends on where the pharmacist is working NO, if pharmacist works for a federally funded substance abuse treatment facility YES, If the pharmacist does not work for a federally funded substance abuse treatment facility

Fraud

Depriving or attempting to deprive a person of his or her rights.

What must be handled with great care?

Discarded Patient Information (DPI)

What must never be thrown in to the trash, because documented cases exist of individuals who have stolen both paper records and computer disks containing hundreds or thousands of patient records?

Discarded Patient Information (DPI)

licensed, bonded company

Discarded patient information must be handled with care. When patient records are to be discarded, they should be destroyed by a ________. it should never be thrown into the trash.

What is the release of PHI to any outside entity referred to?

Disclosure

What may be made by e-mail, fax, verbally, or in writing?

Disclosure

What occurs when the entity holding the information performs any of the following actions causing the information to move outside the entity: Releasing, Transferring, Providing Access, Divulging (in any manner)

Disclosure

Exceptions to the Minimum Necessary Use

Disclosure is requsted by the patient or a personal representative, Investigation of a complaint by the Department of Health and Human Services, Any suspected case of domestic violence.

Examples of Universal Precations

Disposable gloves, masks, goggles, face shield, gowns.

_____________ A type of advance directive in which the patient chooses a person to make medical decisions for them if they become unable to do so

Durable Power of Attorney

True or False: A HCW can release pt info for statistical purposes without authorization.

False

True/False A cross walk is not created to match UPIN to NPI

False

True/False COBRA guarantees health coverage for at least 3 yrs unemployment

False

True/False Electronic Data Interchange is between people and and computer

False

True/False HIPAA preemptions to state laws

False

True/False HIPAA privacy rule debt collection agency

False

True/False Health care provider must obtain..notify patient disease

False

True/False If more than one doctor is treating the patient, physician need to assign authorization

False

True/False Malware is a type of secure software

False

True/False Office sign in sheet are banned by HIPAA

False

True/False PHI stands for private health information

False

True/False Parent must always be notified if minor is pregnant

False

True/False There is a natural identifier set up for patient

False

True or False: A HCW exposed to a contagious disease has the right to know of the pt's health status

False; he/she DOES NOT have that right

Office of the Inspector General (OIG)

Federal agency that investigates and prosecutes fraud against government health care programs such as Medicare.

department of health and human services

who enforces HIPAA standards and regulations, which also enforces situations of related abuse and fraud.

trained employees

who may protect patients records and must also understand the legal regulations about who may have access to them?

What is fraud?

willful and intentional misrepresentation of facts that may cause harm to an individuals or result in loss of an individual right or property

What is assault?

willful attempt or threat to inflict injury

Dental records are legal records?

yes

Civil Money Penalties (CMP)

Financial penalties imposed by the OIG for a wide variety of conduct.

Maximum criminal penalty for violations involving intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm

Fines of $250,000, and imprisonment for up to ten years

__________ is a notice of privacy practices available to individuals

Formal document

___________ is an entity that processes or facilitates the processing of information received from another entity.

Health Care Clearinghouses

Who enforces HIPAA regulations and government standards, and is conducted by the Office of Inspector General and the Department of Justice?

Health Care Fraud and Abuse Control Program

What is HITECH Act

Health Information Technology for Economic and Clinical Health Focus is on privacy and security concerns of e-transmission of health information

Who is affected by HIPAA?

Health Insurance Plans Health Care Providers Health Care Clearinghouses

HIPAA

Health Insurance Portability & Accountability Act

HIPAA stands for

Health Insurance Portability and Accountability Act

HIPAA stands for___

Health Insurance Portability and Accountability Act

___________ are an individual or group plan that provides or pays the cost of medical care

Health Plans

Name two examples of how sharing health information publicly results in a bad way?

Health information could be used to restrict or terminate employment, and can be used to sell insurance products for finacial gain.

What may harm patients financially and ever medically if unsafe procedures are performed as a result?

Healthcare Fraud and Abuse

Who are Medical records shared with in order to provide accurate patient care?

Healthcare Professionals

Who is impacted by HIPAA?

Healthcare providers Health plans Health care clearinghouses

What does HIPAA stand for?

Hospital Insurance Portability and Accountability Act

$100-$25,000

How much money could you owe for a Tier A HIPAA violation?

$1,000-$100,000

How much money could you owe for a Tier B HIPAA violation?

$10,000-$25,000

How much money could you owe for a Tier C HIPAA violation?

$50,000-$1.5 million

How much money could you owe for a Tier D HIPAA violation?

The pt. has the right to know:

How the info is being used a summary of pt rights how to obtain a copy of his health record how to file a complaint when and where info was disclosed and with whom

Privacy

Is the individuals right to keep certain info to him/her self with the understanding that the info will only be disclosed with his or her permission

What does the code HCPCS stand for?

Items, Supplies, and non-physician Services

Is it true that the Privacy Rule mandates all sorts of new disclosures of my patient information?

NO - Disclosure is mandated in ONLY TWO SITUATIONS: 1) To the individual patient upon request 2) To the Secretary of the Department of Health and Human Services for use in oversight investigations

Does the Privacy Rule prevent members of the clergy from finding out whether members of their congregation are hospitalized?

NO - HIPAA specifically provides that hospitals may continue the practice of disclosing directory information "to members of the clergy," UNLESS the patient has objected to such disclosure.

Is the hospital prevented from sharing a patient's directory information?

NO - The Privacy Rule permits hospitals to continue the practice of providing directory information to the public unless the patient has specifically chosen to opt out.

Protected Health Information

PHI. Patients' medical/billing records protected under HIPAA. Covers past, present, or future. Can be written, printed, recorded, photographed, or oral. Must be destroyed by burning or cross-cut shredding

Healthcare Fraud and Abuse Control Program

Program that enforces HIPAA regulations and government standards, and is conducted by the OIG and DOJ.

National Council for Prescription Drug Programs

Programs that create and promote data transfer standards relating to the practice of pharmacy. Members of this program must receive education tailored to their pharmacy practice, and also receive database services.

What does PHI stand for

Protected Health Information

What does PHI stand for?

Protected Health Information

What is PHI?

Protected Health Information

What is controlled by HIPAA for covered entities use and disclosure?

Protected Health Information (PHI)

What is violated if the Patient's Name, Address, Medical Record Numbers, or Phone Numbers are disclosed?

Protected Health Information (PHI)

What may be used or disclosed by providers as long as the use or disclosure relates to treatment, payment, or the operation of the provider's business activities?

Protected Health Information (PHI)

What is PHI

Protected Health Information (PHI) PHI identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

Notice of privacy practices

Provided to patient each time policies change

Payment

Providers are allowed to share information in order to receive payment in order to provide care to patients.

Treament

Providers are allowed to share information to provide care.

In what programs are you not permitted to reveal the ID of a pt (pt usually referred to as Jane/John Doe)

Psychiatry/Chemical Dependency

Reasons to Terminate Care?

Refusal to follow physician instructions, personality conflicts, failure to pay for services rendered,repeated failure to keep appointments, patient family members complaints, disagreement regarding medication orders.

Remittance Advice Remark Codes (REM)

Remark codes maintained by CMS and used by payers to explain why payments differ from billed amounts.

"Means that if a person truly is experiencing a medical emergency they may seek emergency medical care" IS CONSIDERED TO BE WHICH PATIENT RIGHT?

Right to Access to Emergency Services

"If a patient is unable to participate fully, they may have representation" IS CONSIDERED TO BE WHICH PATIENT RIGHT?

Right to Being a Full Partner in Health Care Decisions

When a person uses the PHI he or she

Shares Employs Applies Utilizes Examines Analyzes The info w/in the dental practice

Patients Charts

Should not be left in holders on treatment doors.

Dispose of PHI

Shredding

Requirements to disclose

Some require a patients authorization but some do not Examples : 1.specialists 2. Dental plan

What is an autonomous person?

Someone who is capable of making their own decisions and pursuing their individual path.

Who has less protection concerning the disclosure of their PHI?

State and Federal prisoners

What does individually identifiable mean?

That the information used would identify a specific patient, unique to that patient.

Who enforces non-privacy standards?

The Centers for Medicare and Medicaid Services (CMS)

Title II

The portion of the HIPAA law known as administrative simplification. The rules in this section cover administrative, financial, and case management policies and procedures. It contains strict requirements for the uniform transfer rules of patient confidentiality.

What is HIPAA

The privacy of all patients protected health information

Notice of Privacy Practices

These are created by providers which detail their policies and procedures, and make it available to anyone who requests it.

Medical Code Sets

These are used to encode data elements concerning specific diagnoses and clinical procedures. There are six code sets used for clinical information.

Privacy Standards

These standards require that privacy policies be appropriate to the services provided, and a specific person within the organization oversees them. Pharmacy techs and Pharmacists are responsible for maintaining them in order to protect PHI of patients.

State and Federal Prisoners

This group of people has less protection concerning the disclosure or their PHI, though state statutes may overrule HIPAA in certain circumstances

COBRA

Title I of HIPAA can also be referred to as

What restricted electronic transfer of healthcare data, gave patients more rights regarding their own personal health information, and put in place better security of this information?

Title II of HIPAA

Two main sections of the law.

Title one: health care portability Title two: preventing healthcare fraud and abuse; administrative simplification; medical liability reform.

TPO

Treatment payment operations

TPO

Treatment, Payment and Health Care Operations

What does TPO stand for?

Treatment, Payment, Operations.

Permitted Uses

Treatment, Payment, and Healthcare Ops (TPO)

Title I The portion of the HIPAA law concerned with health insurance reform.

The main purpose of Title I is to ensure continuation of health coverage when employees change jobs. It also entitles people who leave a job to continue their health insurance coverage as a private payer for a limited period of time under COBRA.

Administrative Simplification (ASCA)

The part of HIPAA that gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative codes sets should be used; to require the use of national identfication systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the standards to protect the security and privacy of ePHI. This is Title II.

Title I

The portion of the HIPAA law concerned with health insurance reform. The main purpose of Title I is to ensure continuation of health coverage when employees change jobs. It also entitles people who leave a job to continue their health insurance coverage as a private payer for a limited period of time under COBRA.

T/F: Every health care organization is expected to develop policies and procedures to guide HIPAA practices within their facility

True

T/F: Every person who provides care or assistance to patients in that facility is expected to understand and comply with HIPAA regulations. It is essential that all patient health information be kept confidential

True

The single most important key to administrative simplification is standardizing throughout the healthcare system a set of transaction standard and code sets

True

True or False: Access to the chart is only direction by the pt, not by the MD

True

True or False: Families are denied access to their relative's chart even when terminally ill

True

True or False: The patient has the right to request that the info. disclosed be limited, but the hospital is not required to agree with restrictions.

True

True/False A health plan may be offered by employer, CE and other groups.

True

True/False A remittance advice is a statement that includes how and why a claim is denied

True

True/False All CE must have NPP information available for patient and member

True

True/False Business association must follow HIPAA standard

True

True/False Electronic medical record may..thought to reduce medical error

True

True/False Encryption is the encoding of message

True

True/False Fraud is intentionally and abuse is not on purpose

True

True/False HIPAA standard apply to only to electronic transaction of CE

True

True/False Medical records are legal documents

True

True/False Patient can request amendment to medical record

True

True/False Patient medical record may be withheld between certain restrictions

True

True/False Under HIPAA all CE are require to perform risk analysis

True

True/False Under HIPAA consent of ePHI makes sure information is not change during transmission

True

True/False Using PHI for profit result in prison and 250,000 in fine

True

True

True/False. PHI may be transmitted electronically, via the internet and other methods. It includes all of a patients basic information as well as that of relatives, employers, and health insurance providers.

Reasonable

Under the Privacy Rule, workforce members are expected to take _____ steps to safe guard protected health information.

What is The Patient Self Determination Act

Under this act it ensures that the patient has a voice to share their end of life decisions. Because these wishes "cover" something that hasn't happened yet they are called advanced directives.

Standard Precautions is a combination of what?

Universal Precautions and Body Substance Isolation guidelines

Impermissable

Unnecessary use or diclosure of health information that could have been reasonably prevented

What are HIPAA Criminal Penalties?

Up to $250,000 in fines -Imprisonment up to 10 years

Moral

Values serve as the basics for etical conduct.

Ex 1: Mom comes in and ask for daughter on Med record, yelling

Well, regardless how mad she is, NO means NO.

•communicable disease •abuse or child or elder •malfunctioning medical device •court order to release information •suspicious death or crimes •credible threat to do harm to someone

What are permitted releases

Tier D of HIPAA

Will full neglect and organization did not correct

Tier C of HIPAA

Will full neglect and violation was corrected

Does HIPAA permit the disclosure of an injured worker's protected health information without his or her authorization for the purposes of adjudicating the individual's Worker's Compensation claim?

Worker's Compensation plans are excluded from the definition of a "health plan." The Privacy Rule is not intended to impede the flow of health information to those who need it to process claims or coordinate care for injured or ill workers under the Worker's Compensation system. The minimum necessary provision requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose.

What must you have from the patient to release any of the patient's information?

Written authorization

Can HIPAA violations also affect your medical license or certification?

YES

Can the police get to protected health information in my pharmacy?

YES

Can I give prescription records to investigators from the Medical and Dental Boards?

YES A Board rule provides that a pharmacist may disclose pharmacy records to investigators of occupational licensing boards whose licensees have prescribing authority during the course of an investigation.

does the patient have the right to review notes in the pharmacy computer?

YES the patient does have the right to see that information.

Are health care providers allowed to use sign-in sheets and call out the names of patients in waiting rooms?

YES - - as long as the information disclosed is appropriately limited. For example, the sign-in sheet should not include the reason for your visit, since this is private medical information and does not need to be shared with other patients. purposes. This can be done by FAX, telephone or other means. Your health care provider is required to put in place reasonable and appropriate safeguards to protect your medical information. For example, your doctor's staff needs to confirm that the fax number they are using is correct.

Does HIPAA permit (not require) covered entitites to continue certain existing disclosures of health information for specific public responsibilities?

YES - These permitted disclosures include: * emergency circumstances; * identification of the body of a deceased person, or the cause of death; * public health needs; * research that involves limited data or has been independently approved by the Institutional Review Board; * oversight of the health care system; * judicial and administrative proceedings; * limited law enforcement activities; and * activities related to national defense and security. NOTE: The Privacy Rule generally establishes new safeguards and limits on these disclosures. Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgement to decide whether to make such disclosures based on their own policies and ethical principles.

What does the Security Rule entail

defines administrative, physical and technical safeguards *i.e. if you are going to fax something, you must ALWAYS have a cover sheet

pre-existing exclusions for pregnancy___

does not apply

What is negligence?

doing something a reasonable person would not do

Electronic PHI

ePHI. Any PHI that is in electronic form (computers, copiers, faxes, and PDA

What is durable power of attorney?

effective when person incompetent to make decisions -usually determined by a living will -two separate individuals: medical and financial

warned reprimanded suspended removed

employees may be ____, ____, ____, or ____ from their position for viewing non-job related record or disclosing information

Workforce memebers

employees volunteers students and trainess of an healthcare organization

what are the 4 categories of identifiers

employer, provider, health plan and patient

privacy officer

every facility has a ____ ____ who oversees HIPAA implementation

physical safeguards

facility access control, workstation use, workstation security device and media controls

nursing code of ethics BU BSN handbook KY board of nursing standards of practice

failure to comply with HIPAA also violates 3 things

Who regulates employer-offered health plans?

federal Employee Retirement Income and Security Act of 1974 (ERISA)

Risk Mana

fig o/ a way to address them

intent to sell

fine of $250000 and/or prison 10 years

security audit, important because...

gate keeper for front end compliance, minimum necessary standard and need to know basis, hold users accountable, protect PHI, monitor systems and policy effectiveness

Ppl come in w/ Court Order

gotta call the Judges to verify for the Court order If the person bullies me and want it now, you can grab a sit or you can come back tmr

What is defamation?

holding up a person to ridicule, scorn or contempt

Under HIPAA the following are required to send electronic claims____

hospitals

What do privacy rules do?

identify what information is protected and define how and when PHI may be used or disclosed

1996

in ____ the US federal government passed a law (HIPAA) that created national standards to protect patient medical records and other personal health information

Covered Entity

includes health plans, healthcare clearinghouses, and healthcare providers who transmit health information

basic concepts security rule

info security risk assessment, risk analysis, risk management, separation of duties, least privilege, threats, vulnerabilities, cost effective security controls and safeguards

Integritiy

information content not alterable except under authorized circumatnces

Protected Health Information (PHI)

information generated int the course of providing healthcare that can be uniquely linked to them.

Disclosure

information must only be provided to the patient or person authorized by him or her; pharmacy personnel must understand how to properly interact with all family members, friends, and caretakers of the patient.

Authorization

is required before PHI can be used for any purpose other than TPO. The authorization form has required statements and core elements: A description of the information to be used or disclosed The names of the persons making the request A description of the purpose of the request An expiration date for the authorization The signature of the individual and the date

Title II The portion of the HIPAA law

known as administrative simplification. The rules in this section cover administrative, financial, and case management policies and procedures. It contains strict requirements for the uniform transfer rules of patient confidentiality.

computer security

lock up, firewall, anti virus, software updates, no unnecessary access, no unclear text or passwords, no proxy, encrypt, password protect, auto logoff, backup

controls

management controls focus on management of risk, operation control implemented, executed by workforce, technical controls, focus on controls executed by information system

chronological

medical record documents of the medical history of a patient are in ______ order

what are examples of entity departments HIPAA officers oversee?

medical staff, IT dept, legal advisory, risk mgmt, satellite clinics, ancillary depts(misc)

IT department

monitors your active unacceptable access will be flagged

Universal Precations

more exposure=more protection

written documents

must be monitored for proper protection

when business associate violate an agreement to protect PHI the CE______

must take steps to end the violation

What are some common

name address SSN medical records number

What makes up parameters?

name of procedure, benefits, risks/adverse effects, length of time, alternatives, consequences of refusal

What is the Privacy Rule

national standard for electronic transfers of health data

Purpose of HIPAA

national standards for electronic health care transactions national identifiers for providers, health plans, and employers. addressed the security and privacy of health data.

Does patient consent apply to HIPAA consent?

no

Confidentiality

no unauthorized informationd disclosure

ePHI

records that may be stored in computers and related peripheral devices, and transmitted over computer networks, over the internet, and on removable media that interfaces with computers

Electronic Health Care Transactions and Code Sets

set of standards that says all providers are required by HIPAA to use the same code sets, identifiers, and transaction when healthcare information is being transmitted.

Storage of paper information

should be in a lock cabinet

What is an authorization?

signed by the patient for use and disclosure of specific PHI that are not related to treatment, payment, or health care operations

health plans provider organization hospitals ambulatory facilities nursing homes home health

six covered entities HIPAA applies to

business associates

software vendor, health insurance company, cleaning service, copier service, billing company, medical equipment service company, legal advisors

security rule

specifies how patient information is protected on computer networks, the internet, extranet, and disks and other storage media.

ePHI PHI

that is stored or transmitted in electronic form.

USE

the act of accessing any health information by a workforce member for the purpose of performing a task within a healthcare organization

What are the four primary objectives of HIPAA?

• Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions • Eliminate fraud and abuse • Enforce standards for health information • Guarantee security and privacy of health information

While HIPAA will not ban calling a patient's name in a waiting room, to increase privacy a facility might consider

using a number tag system

Notice of Privacy Practices

using this notice, providers explain to patients how their PHI may be used and disclose, their access to his or her own information, patients full rights, and how to register complaints.

Sanction Policy

we have to honor the policy otherwise bad behavior will be documented and we will get in trouble

Availability

when and whee needed

Who enforces the privacy rule?

• Department of Health and Human Services • Office of Civil Rights can conduct reviews • Individuals can file a complaint

Read over patient responsibilities

• Providing information about past illnesses, hospitalizations, medications and any other thing that would affect their health care. • To participate effectively in health care decisions. • To get clarification if they do not understand. • For ensuring that the health care institution has a copy of advance directives or living will. • Informing physicians if they anticipate problems in following a prescribed treatment. • Be aware of hospital's obligation to provide care for other patients. • Providing information for insurance claims. • Making payment arrangements.

What are the three basic principals of HIPAA?

• Respect of persons • Beneficence • Justice

What are the seven right in the patients bill of rights?

• Right to information • Right to choose • Right to access emergency health services • Right to being a full partner in health care decisions • Right to care without discrimination • Right to privacy • Right to speedy complaint resolution

What are the three goals of Patients' Bill of Rights and Responsibilities?

• Strengthen consumer confidence that the health care system is fair and responsive to consumer needs • Reaffirm the importance of a strong relationship between patients and their health care providers • Reaffirm the critical role consumers play in safeguarding their own health

HIPAA law overrides most state laws that define and regulate patient privacy

False

Resonable steps

Must be taken to ensure your information stays confidential

Indirect providers

providers that include labs that handle patient test results

Direct providers

providers that provide direct treatment to patients

How many people, on average, have access to a single pt record?

75

How can you verify identity?

-a photo ID -password chosen by patient to ensure confidentiality -information known by those close to patient and who are permitted to access PHI

What is patient protection?

-access to medical records -notice of privacy practices -limits of use of PHI -prohibition on marketing -confidential communication

What information needs to be kept private?

-all information that identifies an individual -name, address, DOB, phone/fax, SS, medical record, hospital/room #, nursing/physician notes, treatment plans, billing/insurance records

Organizations or individuals that violate HIPAA rules are subject to monetary fines (up to ______) and civil or criminal charges (up to ___ in jail)

$ 250,000 and 10 years

Civil violation

$100 per person, per violation, up to $25,000 per calender year

Centers For Medicare and Medicaid Services (CMS)

(Formaly known as HCFA) The division of health and human services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.

How does HIPAA affect State laws?

* The new federal privacy standards do not affect State laws that provide additional privacy protections for patients. * The Privacy Rule will set a national "floor" of privacy standards that protect all Americans, and any State law providing additional protections would continue to apply. * When a State law requires a certain disclosure-such as reporting an infectious disease outbreak to the public health authorities-the federal privacy regulations would not preempt the State law.

Individual Rights

- to receive a notice of the privacy practices of any health care provider health clearing house, or health plan. -to see their PHI and get a copy. - to request that changes be made to correct errors in their records or to add information that ha been omitted. - to see a list of some of the disclosures that have been made of their PHI. - to request that you give special treatment to their PHI. - to request confidential communications. - to complain.

What are HIPAA Civil Penalties?

-$100 per violation; up to $25,00 per year -More fines if multiple year violations

Purpose of HIPAA

-*Protects* individuals medical records and other personal health info -gives *patients more control* over their health info -established *safeguards*'that health care prof must achieve in order to protect the privacy of health info -hold *violators accountable* by imposing civil & criminal penalties if necessary

What Information that is exempt by law and must be reported to the proper authorities without the patient's consent. Name as many as you can.

-Births and deaths (filed with state registrar) -Injuries caused by violence (GSW) -Threats of serious bodily harm to another that may reasonably be believed. -Child abuse (physical/sexual) -Vehicular accidents involving drug/alcohol -A reportable communicable or sexually transmitted disease. (Some examples tuberculosis, hepatitis, AIDS, tetanus, gonorrhea, syphilis, chlamydia, and genital warts.)

Name some penalties that result from violations

-Civil penalties: fines -Criminal penalties: imprisonment and fines *There are BIG fines, and they are a lot larger for those who do something intentionally *There are a few examples on slides 15-19 on HIPPA ppt

HIPAA Enforcement Agencies

-Dept. of Justice -Centers for Medicare and Medicaid services -Electronic Healthcare Transaction and Code set Rule -National Employer Identifier Number Rule -Office for Civil Rights -Office of Inspector General

What are the three "Test Questions" when considering respecting others?

-Does it allow persons to freely and intelligently determine the course of the their own lives? -Does it relate to promises or commitments we have made explicitly or implicitly? -Can you apply the Golden Rule?

title II provisions

-Electronic health information transaction standards -Penalties -Privacy -Provider and health plan mandate and timetable (2 years to start) -State law preemption

True/False: according to HIPAA, you may not discuss a patient's health status and/or treatment with family members

-False (as long as you have patient's permission)

HIPAA

-Goal: improve portability and continuity of health insurance -Originated as plan to reduce health care administrative costs

Health Plan

-HMO -Group Health Plans -Medicare A/B -Medicare Advantage Plans -Medicaid

What are ways that HIPAA may be violated in the front office and medical records areas of a healthcare facility? Name as many as you can.

-Leaving paper charts where patient's/public have access -Not properly disposing of patient information, it should be shredded or in a confidential bin. -Leaving patient information a copier or fax machine. -Not using a password or having an easy password -Leaving medical CDs or DVDs where patient's/public has access

Authorization Must Contain

-PHI to be used/disclosed -persons to receive/make use of disclosure -expiration date -revocation rights -warning that it may be re-disclosed by another party

True/False: only those members of the healthcare workforce who are involved in a patient's care are allowed to review the patient's chart

-True

Requirements of a Covered Entity

-Written contract (permitted uses, disclosure, reporting of misuse of PHI) -Satisfactory assurance that they will safeguard PHI -Contract language requiring solution/termination after violations -NO: external monitoring

Can health care providers talk about patients if there is a chance of others hearing (such as at nursing station)

-Yes, if reasonable safeguards are used *Quiet conversation *Shielded records *Restricted personal access

Name some examples of administrative safeguards

-covered entities must adopt a privacy notice (patients must sign a consent form prior to receiving care) -CEs must train employees and students -CEs must appoint a privacy officer -Ces must be able to show proof of ongoing training and must be able to establish a complaint process

What does every agency must develop?

-develop policies and procedures that guide HIPAA implementation, evaluation and revision -develop a process for handling privacy related complaints

What are some exceptions to the release of PHI

-emergency situations, public health issues (when a person has been exposed to a communicable disease, law enforcement purposes, judicial and administrative proceedings, victims of abuse, organ procurement organizations, etc)

Name some examples of technical safeguards

-encryption -authentications process when communicating with others -documented risk analysis

What does every agency must ensure?

-ensure no retaliation occurs against someone who reports potential violations in good faith -ensure processes are in place to demonstrate compliance with documentation and record keeping

What are legal issues?

-good samaritan law -malpractice insurance -documentation:not documented/never happened -incident reports: for accident/injuries

What does HIPAA stand for

-health insurance portability and accountability act

The term "covered entity" refers to

-healthcare provider -insurance company

What are patient's bill of rights- medicare/medicaid?

-information disclosure -choice of providers/plans -access to emergency services -participation in treatment decisions -respect and nondiscrimination -confidentiality of health info -complaints and appeals -internal appeals -external appeals

What does PHI cover?

-information used within a facility -verbal or written information -information stored in computer files -patient information stored in paper files -data shared between providers, payers or third parties

What makes up consent?

-informed -implied -oral

What must you do before you can legally release PHI?

-must confirm the identity of the person requesting -determine if the requesting person is entitled to the information -verify what specific information this person is permitted to have

What are privacy rule purposes?

-patient -established boundaries -safeguards -penalties for violations -public disclosure

What are the key components of security rules?

-physical security: protects computer hardware, wiring, systems, areas, and buildings -technical security: determines the type of information that may be accessed by individuals -technical security mechanisms: automatically monitor computer systems and report suspicious activity -administrative procedures: outline steps taken by the facility to enforce security rules

What effects does the Unique Identifiers Rule have on research

-protection of participant info must be part of the IRB (institutional review board) approval...meaning, informed consent forms must include details on how the participants PHI will be protected *Retrospective files are more difficult *Reasons why we have IRB: Tuskegee files in Alabama; Henrietta Lax; testing drugs on prisoners

Compliance

-provider -clearinghouse -plans

What does the Privacy Rule entail

-regulates use and disclosure of information by "covered entities": health insurers, medical service -guidelines for sharing the minimum necessary information -ensures confidentiality of communication with patients

What makes up the patient's rights/responsibilities as appointed by president clinton?

-right to choose -right to information -access to emergency services -full partner in decision making -care without discrimination -right to privacy -right to speedy complain resolution -required to take responsibility for health care

What does HIPAA guarantee?

-right to privacy -right to confidential use of PHI -right to access and amend their health info -right to provide specific authorization -right to have their name withheld from patient directories -right to request that information concerning their care is not released to specific individuals -right to request that specific individuals are not told of their presence in a facility

What are the goals of patient's bill of rights?

-strengthen consumer confidence in healthcare -reaffirm strong between patient and healthcare provider -reaffirm critical role of patient's maintaining their own good health

When dealing with written or computerized info

-turn computer screens inward -post schedules on inside walls (hidden) -keep printed materials hidden -keep pt forms and charts face down on counter -when using a fax, call first to notify recipient

Is it permissible to fax information about a patient to another health care provider or insurer?

-yes (DON'T leave data in fax machine; use cover sheet)

What are some of the benefits of the Privacy Rule

-you have access to your own medical records -health care providers must state how personal medical info is used and disclosed (i.e. info can't be used for marketing without your consent) -you can find out who has accessed your records for the past 6 years -you can file a complaint if you suspect a violation -you can choose to have your name in the hospital directory *YOU MAY NOT LOOK AT A PT's RECORD if you are not treating them

Why do I have to sign an authorization?

1. An authorization is a more customized document that gives permission to use protected health information for specific purposes, which are generally other than treatment, payment, or operations. 2. An authorization is often used to disclose protected health information to a third party specified by the individual. 3. The authorization must state the purpose of each disclosure or use and the individual has the right to revoke it in writing.

HIPAA requirements

1. Dental offices are required to keep health info PRIVATE 2. Must notify patients of the privacy act 3. Must inform patients of their legal rights

HIPAA "Administrative Simplification" 4 ways

1. Electronic transactions and code sets standards requirements: use the same health care transactions, code sets, and identifiers. 2. Privacy requirements - govern disclosure of patient protected health information (PHI) while protecting patient rights. 3. Security requirements - administrative, technical, and physical safeguards required 4. National identifiers

4 Tips when working with computers/faxes

1. Encrypt any pt info sent in an email 2. double check address line of email 3. Pt info must be removed from computer before it is discarded 4. have a cover sheet on faxes containing pt. info

List the 3 consequences for breaches of confidentiality.

1. Lawsuit - monetary fine 2. Suspension/Termination 3. Loss/Revocation of License

At its core, HIPAA is designed to (5 ANSWERS)

1. Make health insurance more portable (helping workers/families to keep coverage with job changes) 2. Reduce healthcare fraud and abuse (which wastes 1/3 of every healthcare dollar 3. Improve efficiency and effectiveness (of payments and o/ transactions) 4. Protect the privacy and security of medical records 5. Build statistical data for analysis (to better understand diseases and how the spread)

6 Basic HIPAA guidelines:

1. Talk in a private location where you cannot be overheard. 2. Set up a code system for protecting info. given out via phone. 3. When authorization has not been given, firmly but politely withhold info. 4. Shield computer screens from people walking by. 5. Never share computer access codes. 6. Prior to discarding, shred printed records.

Exceptions to Confidentiality Governed by Reporting Laws

1. Threats of harm directed at 3rd party 2. Cases of child, adult, or elder abuse 3. Certain communicable diseases 4. Criminal wounds 5. Poisonings 6. Industrial accidents 7. Death of uncertain nature

What is the intent of the Privacy Rule?

1. To give individuals more control over their health information and to set boundaries on the use and release of health records. 2. To establish appropriate safeguards to protect privacy of health information and hold violators accountable through civil and criminal penalties. 3. It also strikes a common sense balance between privacy and the public good.

a provider who has fewer than ___

10

What year was the HIPAA act enacted

1996

Year in which HIPAA was introduced

1996

How many provisions of HIPAA are there?

2

financial and legal professional academic

3 other potential consequences of HIPAA violations

How long does a patient have to view or copy their requested records?

30 days

Length of time Doctor's office has to provide you with copies of your medical records

30 days

electronic written spoken heard

4 forms of PHI

elevators friends and family email printouts of PHI

4 high risk situations where tempted to disclose PHI inappropriately

How many deaths in a hospital are preventable?

44,000-98,000

photoduplicate/fax (patient documents) PHI notes in trash browse patient charts discuss information (where others may overhear) leave sensitive information visible

5 things the student CANNOT do

communicable diseases abuse (child or elder) malfunctioning medical devices court order (to release info) suspicious deaths/crimes credible threat (to do harm to someone)

6 permitted releases

keep records safe limiting access (to only those who need it) personal ID/passwords firewalls logging off screen turned (away from public) (posted information) out of sight random security (audit trails) cover sheets (when faxing)

9 ways facilities protect PHI

What is a notice for privacy practices

A document prepared by the dental office to tell patients 1. Some rights individuals that HIPAA gives them 2. How their PHI may be used and disclosed by the dental practice

What is HIPPA, (Health Insurance Portability & Accountability Act)?

A federal law imposed on all health care organizations.

False Claims Act (FCA)

A federal law that prohibits submitting a fraudulent claim or making a false statement or representation in connection with a claim.

Maximum criminal penalty for violations involving "knowingly" obtaining or disclosing individually identifiable health information

A fine of up to $50,000, as well as imprisonment up to one year

Covered Entity

A health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction

Corporate Integrity Agreement (CIA)

A negotiated agreement between the OIG and a covered entity (CE) in which the CE agrees to certain obligations in return for the OIG's agreement not to exclude the CE from participation in federal health care programs.

Business Associate

A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity itself. Business associates, such as law firms and countenance must adhere to HIPAA standards in order to do business with a covered entity.

Business Associates

A person/organization who performs services to a covered entity that includes access to or use of protected health information -Hospital and community physician treating the same patient (not janitors)

What is a healthcare Clearinghouse

A public or private entity that transforms health care transactions from one format to another

National Plan and Provider Enumeration System (NPPES)

A system set up by HHS which processes applications for NPI's, assigns them, and then stores the data and identifying numbers for both health plans and providers.

What is Durable power of Attorney?

A type of advance directive in which the patient chooses a person to make medical decisions for them if they become unable to do so

American health information management association

AHIMA

In a hospital, the obligation to maintain confidentiality applies to:

All medical and personal information

HHS Interim Final Rule

Allowed covered entities to determine a breach based on "significant risk of harm"

Consent

Allows use and disclosure of PHI for TPO only, written consent must be obtained by "in-take" providers

30

Amendments may be requested to correct any parts of their PHI and these must usually be completed within __ days

Battery

An action that causes bodily harm to another, even touching without permission.

Certification of Compliance Agreement (CCA)

An agreement between the OIG and a health care entity in which the OIG negotiates a compliance agreement for infractions that are not considered serious.

Consolidated Omnibus Budget Reconciliation Act (COBRA)

An amendment to Title 1 of HIPAA that gives employees the right to continue health coverage as a private payer for a limited period of time once they leave a job.

Remittance Advice (RA)

An electronic message that explains how a payer arrived at benefits.

Designated Standard Maintenance Organization (DSMO)

An organization that has been designated by the secretary of HHS to perform those activities necessary to support the use of a HIPAA standard. Such organizations make technical corrections to an implementation specification, expand a code set, or recommend other modifications to keep the standard current.

Covered Entity

Any doctor's office, clinic, hospital, nursing home, or other entity that is covereed under HIPAA law. aka CE's. Have to meet certain conditions to be covered. Nearly every healthcare provider in USA is CE

Covered entity

Any health care provider, health insurance plans, or clearinghouse to which the Privacy Rule applies (those who must comply with HIPAA)

What is a Health plan

Any individual or group plan that provides or pays the cost of health care

"Minimum Necessary Standard"

Any individuals access to and use of PHI must be at a minimum amount necessary to accomplish the intended purpose or to perform the functions of their job

Who is a Healthcare provider

Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which standard requirements have been adopted. Hospitals, physicians, dentists, etc

Covered Entity

Any provider, health plan, or clearinghouse to which the Privacy Rule applies.

Code Set

Any set of codes used to encode data elements - includes terms, med. concepts, diagnostic codes, medical procedure codes (ICD 10, CPT)

When did HIPAA go into effect?

April 14, 2003

The privacy and data security portions of HIPPA go into effect

April 2003

Negligence cases

Are those in which a person believes a medical professional's actions, or lack thereof, caused harm to the patient.

When you don't recognize staff members who request info then you should

Ask for their ID

Security Risk Assessment

Assets - network/hardware/data Threats - employees/theft/hacker Vulnerabilities - poor controls/passwords Losses - fines/lawsuits/reputation Safeguards - designed to assess threats/vulnerabilities

Data security issues that must be addressed by HIPAA implementation teams include:

Back up, access controls, and internal audits

Why is it risky to take pictures in a healthcare facility?

Because you may accidentally get patient or patient's information in the picture (Armband, room sign, family pictures, anything that could identify a patient.)

Portability

Being able to transfer group health insurance form one job to another

Under HIPAA risk management is___

D: plan reduce threat security

Defamation of charactor

Damaging a person's reputation by making a public statement.

DII

De Indentified Information

HIPAA privacy rule

Deals with PHI in all its form, including medical charts and records.

________ is Med advice, treatment, diagnosis received or recommended DURING the 6 month period prior to an individuals enrollment date.

Defining Preexisting Condition

What was encouraged so routine business information exchange could be exchanged between computers?

Electronic Data Interchange (EDI)

What provides interactive patient access?

Electronic Health Records (EHR)

What relies on a EMR being in place?

Electronic Health Records (EHR)

What are preferred over paper records because they can be accessed more quickly, and take less room to store?

Electronic Medical Records (EMR)

What is a legal record of a care delivery organization upon which an EHR is based?

Electronic Medical Records (EMR)

Electronic information includes

Emails Desktops Laptops Electronic dental records Cd Roms Flash drives

Make sure your practice has security rules when using

Emails Passwords Social media Laptops Cd roms Flash drives Backing up data Encryption Disposing of electronics

Who does this regulation affect

Everywhere that submits health info as a claim to a dental plan to see if a patient is enrolled in a plan -healthcare providers -dental practices -hospitals -health plans -health ins -health care clearinghouse

Rule 3: Don't share more info to ppl than what they ask you

Ex: Joe choose not to share his health info w/ his family, friends and even his wife. His wife goes to the same church w/ Dr. Foutch and asks him about Joe's prob. Dr. Foutch goes back, checks and tells his wife what happen => So wrong!!! => Can't release info w/o pt's permission

Rule 2: Don't use more than what you need

Ex: sm ppl give you the full Med record => only use what I need so I don't get liable

Notice of Privacy Practice

Explains to the patient how we use their PHI • Must be available to all patients • Patients may decline to receive it

List at least 6 individually identifiable items

Geographic divisions smaller than a state (cities, counties) Specific dates Phone number Fax number email address SSN Medical record number Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Device identifiers and serial numbers Web URLs IP address numbers Biometric identifiers (including finger, voice prints) Full face photo and other images Any other unique identifier

department of justice

Government agency that investigates the most serious violations of the Privacy Rule, prosecutes criminal violations

Privacy Rule

Guideline under HIPAA that sets national standards for the protection of health information

who assigns NPI___

HHS

health insurance portability and accountability act

HIPAA

__________ Protects the privacy of individually identifiable health information.

HIPAA Privacy Rule

What requires that covered entities implement policies and procedures that will prevent, detect, contain, and correct security violations?

HIPAA Security Rule

_____________ Sets the national standards for security of electronic protected health information.

HIPAA Security Rule

who oversees the privacy and security of the entity, training and stays up to date on current HIPAA regulations?

HIPAA officers

2003

HIPAA privacy standards were established in _____ to protect personal health information.

confidentiality notices

HIPAA recommends this notice be included instructing anyone who receives the communication in error should immediately contact the sender and destroy the information received.

What training must pharmacy technicians and pharmacists be acquainted with all policies and procedures designed to protect PHI?

HIPAA training

compliance guidelines

HIPAA- related privacy, training, and security regulations designed to focus on, correct, and maintain good healthcare practices

Current Procedural Terminology (CPT)

HIPAA-mandated procedural code set developed, owned, and maintained by the American Medical Association.

health information technology economic and clinical health

HITECH Act

HIPAA stand for

Health Insurance Portability & Accountability Act

Purpose

Improve healthcare through standardization of electronic data -Creates "floor" for Federal privacy protections

Confirm appts

In a generic way---leaving date and time only NEVER LEAVE DETAILS

What is Protected Health Information?

Individually-identifiable health information that is transmitted or maintained in form or medium

Torts are either _____ or _____.

Intentional Unintentional

False imprisonment

Intentional, unlawful restraint or confinement of a person.

Invasion of privacy

Interfer with a person's right to be left alone.

ICD-9-CM

International Classification of Diseases, Ninth Revision, Clinical Modification. Mandatory code set used by the United States. It provides rules for selecting and sequencing diagnosis codes in both the inpatient and the outpatient environments.

What is considered an unauthorized disclosure?

Invasion of Privacy

Law

Is a rule of conduct or action.

Security

Is a safeguard to protect electronic health info

Ethics

Is a standard of behavior.

Contracts

Is a voluntary agreement between two parties in which specific promises are made for consideration.

What can override a patient's preference regarding the release of PHI?

Judicial Orders

In Ohio, who has access to a child's medical records?

Legal Guardian

Affiliated Covered Entities

Legally separate entities with common ownership and control - permits use of PHI between facilities

Minimum Necessary Information

Limiting use and disclosure of Personal Health Info ("Patient's name, appointment time, doctor")

_____________ A will in which the patient requests not to be kept alive by medical life-support systems in the event of a terminal illness

Living Will

MSDS

Material safety data sheets

What is Beneficence?

Maximize possible benefits and minimize possible harms

US Treasury

Monies collected under penalties imposed under the Privacy Rule are deposited by the ________, not disbursed to the complainant.

Can providers release a patient's private health information to life insurers, financial institutions, employers, marketing firms, or another outside business for purposes not related to the patient's health care?

NO, unless the patient signs a specific authorization allowing the release.

A patient's sister calls to check on her, what information can you give her?

NONE, you cannot even say that she is a patient.

Notice of Privacy Practices

NPP. Notice that HIPAA requires CE's to give their patients. Briefly tells patients about their new HIPAA rights and how to use them

When a patient requests that his or her health information not be disclosed to anyone, who can the healthcare provider disclose the information to?

No One

Does using email mean the provider is a covered entitity

No, The transmission must be in connection with a transaction, sent electronically directly or using a billing service or other third party to do so on its behalf.

NPP

Notice of Privacy Practice -must be given to all patients -clear language -include an example of TPO

Before a procedure is carried out, a _________ must be given to the patient

Notice of Privacy Practices

What is a document that explains to patients how his or her PHI may be used and disclosed?

Notice of Privacy Practices (NOPP)

What must providers create, which details their policies and procedures, and make it available to anyone who requests it?

Notice of Privacy Practices (NOPP)

violation of privacy rules is enforces by____

OCR

Availability:

OD pro go down => can't access the info

Can a physician's office FAX my medical information to another physician's office?

The HIPAA Privacy Rule allows doctors to share your medical information for treatment purposes. This can be done by FAX, telephone or other means. YOUR HEALTH CARE PROVIDER IS REQUIRED TO PUT IN PLACE REASONABLE AND APPROPRIATE SAFEGUARDS TO PROTECT YOUR MEDICAL INFORMATION. For example, your doctor's staff needs to confirm that the fax number they are using is correct.

Protected Health Information (PHI)

The HIPAA terminology for individually identifiable health health information in any medium, except such information maintained in education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records.

The dental office must document that each pt received _______

The NPP acknowledgement (notice of privacy practices) -the patients signs the notice -if pt does not want to sign document your good faith effort to obtain their signature

Who must comply with the new HIPAA privacy standards?

The Privacy Rule covers: 1. Health plans 2. Health care clearinghouses 3. Health care providers who conduct certain transactions electronically

Office for Civil Rights (OCR)

The division of Health and Human Services responsible for enforcing the HIPAA privacy rules. Privacy is considered a civil right.

office for civil rights

The division of Health and Human Services responsible for enforcing the HIPAA privacy rules. Privacy is considered a civil right.

Centers For Medicare and Medicaid Services (CMS) (Formaly known as HCFA)

The division of health and human services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.

Electronic Data Interchange (EDI)

The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.

electronic data interchange

The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.

Department of Health and Human Services (HHS)

The federal department that administers federal programs covering public health and welfare.

Department of Justice (DOJ)

The federal government's main law enforcement division.

Health Insurance Portability and Accountability Act (HIPAA) of 1996

The federal legislation covering rules regarding the health care industry, specifically how it is administered and rights of patients in regard to health care coverage and privacy.

Does the Privacy Rule set limits on how health plans and covered providers may use individually identifiable health information?

YES - To promote the best quality care for patients, the rule does NOT restrict the ability of doctors, nurses and other providers to share information needed to treat their patients. HOWEVER, in other situations personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purposes.

Can I still pick up prescriptions for a family member?

YES - Under HIPAA, a family member or other individual may act on the patient's behalf "to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information."

May providers charge patients for the cost of copying and sending their requested medical records?

YES.

A clinic places patient charts in a plastic box outside of exam room. Would this practice be considered sufficiently secure

Yes

May a PT "discuss" patient's symptoms/treatment with another health care professional via email

Yes

A visitor calls to ask location and general condition of a friend. Are you permitted to disclose information?

Yes (if you recognize voice; you can be vague...if spouse, family member, etc)

Can state modify HIPAA?

Yes -- they can make rules stricter

In the patients' bill of rights is the consumer responsible for anything?

Yes : responsibilities are ones that patient must do... maintain good health

Can a provider disclose relevant info if the patient is not present or incapacitated?

Yes, if it is in the patient's best interest.

written authorization

______ must be obtained before information can be shared with anyone if the use of patient information does not fall under TPHCO

which of the following is the violation of the stark law___

a

privacy and security officer

a pharmacy often has a ___________ who handles disclosure of PHI. this officer usually receives referred requests from patients to access or amend their records, and strives to handle them in a timely manner.

regulation

a standard or guideline

The three criteria for criminal liability under HIPAA

a. To "knowingly" obtain or disclose individually identifiable health information b. False pretenses c. Intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm

What information can be disclosed without consent

abuse STI transmission by state vehicular accidents under influence research cadavers

technical safeguards

access control, audit control, integrity, person or entity authentication and transmission security

150

according to AHIMA an average of ____ people have access to patient medical record during a atypical hospitalization

Attribution/ non-repudiation

actions taken are traceable

patient sign-in sheets sould not contain

address, phone, or insurance carrier

what are 3 safeguards to protect ePHI in the security rule?

administrative, technical and physical

Centers for Medicare and Medicaid Services

agency that enforces non-privacy standards

Department of Justice

agency that prosecutes criminal violations

Office of Inspector General

agency that prosecutes fraud and abuse in the healthcare industry while overseeing Medicare and Medicaid

privacy rule

all PHI is to be private in any form or media

What are advanced directives?

allow patient to make decisions regarding care

State law preemption

allowed HIPAA to supersede state laws unless HHS decided otherwise; however, when state law is stronger, it must be followed.

authorization

allows use and disclosure of PHI for reasons other than TPO

minimum necessary

amount of information necessary to do the job

Healthplan

an individual or group plan that provided or pays the cost of medical care

The school can track down when, where, who and what info we look at on the EMR

because we have to log in to the system

organization requirements

business associate contacts and require of group health plans

BAC

business associate contract

ICD-9-CM

code set used for identifying disease and conditions

ICD volume 3

code set used for inpatient hospital services

HCPCS

code set used for items, supplies, and non-physician services

CPT-4

code set used for medical procedures and services

What is CC?

comfort care (pain meds, oxygen, nutritional support, supporting body, clearing the airway)

What is DNR/CC

only Tx for comfort care- NO CPR

Access Control

only authorized peresons, for authroized uses

"Covered Entity"

organization responsible for HIPAA compliance.

monitor for compliance investigate breaches report

organizations have a responsibility to ____ ____ ____ and must ____ ____ and ____ to its privacy officer

register a complaint violated

patients have the right to ____ ____ ____ with federal agencies and the facility if they feel their rights have been ____

opt out

patients right to refuse to be in directory or clergy list

Criminal Penalties

penalties assessed for intentional misuse of PHI, can be as high as $250,000 and up to 10 years in prison.

Civil Penalties

penalties usually given for violating privacy on an unintentional basis. can be as high as $25,000 in fines per year

consent

permission to disclose for reasons of TPO

incidental disclosures

permits ____ ____ that cannot be "reasonably prevented"

prescriber, pharmacist

pharmacy techs are not authorized to make medication decisions for patients-- they must follow the exact instructions of the _____ and the ________.

pharmacist, privacy officer

pharmacy techs should refer issues related to the disclosure of a child's PHI to the _______ or the _______.

trading partners

pharmacy, outside labs, health insurance company

compliance plans

plans that are designed to prevent illegal practices. they may serve as legal defense in the case of prosecution for fraud.

organization policies and procedures and documentation requirements

policies and procedures documentation

avoiding incidental disclosures

posting signs so others stay back keeping papers turned over at desk no visible names outside medical records when transported through facility keeping printers, copiers, fax machines in non-visible places and removing information quickly

minimum necessary

premise that limits disclosed details to only what is necessary

Every agency must appoint a _______

privacy officer

What is a tort?

private or civil injury; types include unintentional or intentional

risk analysis

process for cost effective security measures

What is malpractice?

professional negligence

What does HITECH Act do?

promotes the adoption and meaningful use of health information technology

What does stand for PARATOH?

protect against reasonably anticipated threats or hazard/ disaster plan

What does stand for P.A.U.D. ?

protect against unauthorized disclosure

What does every agency must provide?

provide education of HIPAA and organizational policies and procedures

Health insurance plan

these plans include group health plans, HMOs, Medicare, Medicaid, supplemental Medicare policies, long-term policies, employee benefit plans, TRICARE, CHAMPVA, Indian Health Service, Federal Employees Health Benefits Program, approved childe health plans, high-risk plans, etc.

electronic medical records

these records are legal records of a care delivery organization up which an EHR is based.

electronic health records

these records are owned by the patient or person who has a stake in the outcome, provides an interactive patient access.

electronic medical records

these records are preferred over paper records because they can be accessed more quickly, and take less room to store

electronic medical records

these records may be share between authorized healthcare professionals more easily than paper records.

Integrity:

things can't be changed on EMR. you can add more info with marked => never lose stuff

COBRA

this act of 1985 allows employees who are leaving a job to elect to continue their previous employer's health coverage for a limited time.

TPHCO

this concerns PHI that may be shared in order to provide treatment, process payment, and operate medical business: treatment mostly concerns discussions with other healthcare providers, payment refers mostly to health insurance, and healthcare operation includes training and accreditation. .

Healthcare provider

this includes hospitals, nursing, facilities, rehabilitation facilities, hospices, home health care, pharmacies, private practices, dental practices, labs, chiropractors, osteopaths, podiatrists, and therapists.

Title I

this part of HIPAA gave certain people the ability to enroll in new healthcare plans of different types.

Title II

this part of HIPAA restricted electronic transfer of healthcare data, gave patients more rights regarding their own personal information, and put in place better security of this information.

Title II

this part of HIPAA sought to reduce paperwork, simplify internet form processing, and standardize the administration of healthcare information.

Minimum necessary standard

this protects against too much information being given to any specific person or entity

HIPAA training

this training is required of pharmacy techs and pharmacists to be acquainted with all policies and procedures designed to protect PHI

offender did not know ($100-25,000)

tier A

reasonable cause and not willful neglect (1,000-100,000)

tier B

willful neglect and violation was corrected (10,000-25,000)

tier C

willful neglect and organization did not correct (50,000-1.5million)

tier D

What is the goal of HIPAA?

to protect confidential information from improper use or disclosure

Office for civil rights

to who may complaints against providers handling of PHI may be made

confidentiality

under HIPAA, healthcare providers ensure that patient _______ is always maintained

What is one of the biggest threats to patient privacy?

unintentional disclosure of information

What is false imprisonment?

unlawful restraint

What is battery?

unlawful touching of another

under HIPAA fraud include___

upcoding

Information "use"

use within organization.

10 safeguards for computers

user access control, passwords, workstation security, portable device security, safe internet access, report security incidents and breaches, email policies and security, recycling electronic computers and media


Conjuntos de estudio relacionados

Fundamentals Test 2 Questions (I got wrong)

View Set

AC 1- EXAM 1 PRACTICE QUESTIONS

View Set

ch. 3 homework - cycles of the sun and moon

View Set