PE Lecture 19
What does the Privacy Rule Principle state?
-2 times you can disclose PHI: 1. when Privacy Rule permits or requires 2. authorized by patient or patient's representative
What can the government do to discipline those who violate HIPAA?
-Civil: •$100 per incident not to exceed $25,000 for identical violations per year -Criminal: •Up to $50,000 and 1 year for knowingly and improperly obtaining or disclosing PHI •Up to $100,000 and 5 years if the offence is committed under false pretenses •Up to $250,000 and 10 years for obtaining or disclosing PHI with the intention to sell it or use it for malicious purposes.
Denials to pt amendments must:
-be in writing -include the reason for the denial -include directions for filing a complaint
What is "individually identifiable information?
-information, including demographic data that relates to an individuals: •past, present or future physical or mental condition; •provision of care; •past, present or future payment for health care; •Identity •or for which there is reasonable basis to believe can be used to identify the individual
What is "Title II - Preventing Healthcare Fraud and Abuse, Administrative Simplification, and Medical Liabillity Reform" and what does it cover?
-key part of HIPAA -Administrative Simplification •Electronic Transactions •Privacy •Security
Privacy Rule: Major Goals (3)
-major goals: 1. assure that individuals' health information is properly protected 2. while allowing the flow of health information needed to provide and promote high quality health care 3. and to protect the public's health and well being
Security Rule and what it requires (3)
1. Confidentiality - PHI is not available or disclosed to unauthorized persons or processes 2. Integrity - PHI is not altered or destroyed in an unauthorized manner 3. Availability - PHI is accessible and usable upon demand by an authorized person
What 2 groups are covered by HIPAA?
1.Covered entities - Healthcare providers •physicians, •dentists, •hospitals, •pharmacies, •laboratories 2.Business Associates -provide services to healthcare providers •answering services •lawyers •collection agencies •health plans
What % of US medical schools reported incidents of students posting unprofessional content online? What % of those involved the incidents involved violations of patient confidentiality and what % involved posting that violated HIPAA?
60% 13% 8%
13. A person or entity that provides services to health care providers is known as a: A.Business Associate B.Covered Entity C.Clearing House
A
6. When is the patient's authorization to release information required? A.In most cases when patient information is going to be shared with anyone for reasons other than treatment, payment or healthcare operations B.Upon admission to a hospital C.When patient information is shared among two or more clinicians D.When patient information is used for billing a private insurer
A
4. Assessing your own medical record on paper or electronically is completely acceptable and would not be considered a HIPAA violation. A.True B.False
A - unless hospital/healthcare system as specific rules against it
As a student, if you are curious about a patient that you came across' outcomes what is an appropriate and inappropriate action to take?
Appropriate: contact the attending or pt's physician and ask them Inappropriate: check pt's record
11. It is permissible for medical students to enter PHI into their personal use devices such as smart phone which have not been approved for such use by the health care facility A. Yes B. No
B
12. Which of the following is an example of an appropriate place to discuss PHI A.Elevator B.In a private patient room C.Front lobby D.Local restaurant that plays loud music
B
14. Assuring that PHI is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being is the goal of the: A.Patient Protection and Affordable Care Act B.Privacy Rule C.Business Associates D.Covered Entities
B
2. Under what circumstances are you free to repeat to others PHI that you hear on the job? A.Only if you know the patient won't mind B.When your job requires it C.Only if it is shared using your personal Facebook or Twitter account D.After a patient dies
B
8. Are employees who are not actively involved in the care of a patient allowed to review a patient's chart out of intellectual curiosity? A.Yes B.No
B
9. You have forgotten your password and need access to the computer to perform your work duties. What should you do? A.Ask a co-worker to provide his user name and password so you can log-in B.Request a new password according to the organization's policy C.Ask a co-worker to look up the information that you need
B
1. What does PHI stand for? A.Physical Health Injuries B.Patient and Hospital Incidents C.Protected Health Information D.Personal and Health Information
C
5. In which of the following cases would you be required to release information without a patient's permission? A.When the information is needed for an urgent news story B.When the person requesting the information is a spouse, parent or sibling C.When a provider suspects child abuse D.None of the above
C
15. HIPAA's Privacy rule protects patient information in which of the following formats: A.Verbal B.Paper C.Digital D.All of the above
D
3. Patient health information includes: A.Name, address, birth date, social security number, e-mail address B.Medical records, diagnosis treatment, test results C.Billing records, census reports, referral authorizations D.All of the above
D
10. Under HIPAA a patient has the right to the following information: A.To receive a Notice of Privacy Practices B.To see or receive a copy of his/her PHI and to request corrections C.To ask that PHI be sent to him/her at a different address or in a different way D.To request limits on how his/her PHI is used and disclosed and to receive a list of disclosures E.All of the above
E
7. What can happen to a person who knowingly violates patient privacy for personal gain or malicious harm? A.Disciplinary action B.Loss of access privileges C.Fines and penalties D.Imprisonment E.All of the above
E
What does HIPAA stand for?
Health Insurance Portability and Accountability Act
What does PHI stand for?
Protected Health Information
What does the Privacy Rule Permit?
appropriate disclosures
What does the Privacy Rule Prohibit?
the disclosure of PHI except as defined in the Privacy Rule or authorized in writing by the individual or his/her representative.
Bad HIPAA practice
•Access PHI for which you have no legitimate reason to access. •Discuss PHI in public places such as elevators, bathrooms, lobbies, etc. •Share or use someone else's password. •Store PHI on your PDA unless approved by covered entity. •Throw PHI in regular trash cans. •Leave PHI in a place that can be accessed or seen by the public. •Use social media to discuss patient information. Access your records or those of your family members or friends
Good HIPAA practice
•Access records for which you have a legitimate need. •Share PHI with those who need to know. •Discuss PHI in appropriate places. •Verify that you can share information with someone, such as a family member, by asking the patient or by reviewing their written authorization or asking for the password/code assigned by the covered entity if there is one. •Follow all the covered entities IT policies and procedures.
What is affected/covered by the Privacy Rule?
•Any identifiable health information (AKA Protected health information (PHI)) •Any format (HIPAA always applies regardless of tech innovation) -The Privacy Rule protects all 'individually identifiable health information' held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper or oral
Privacy Rule requirements as to when you must disclose PHI
•As required by law (statute, regulation, court order) •Public health activities •Victims of abuse, neglect or domestic violence •Health oversight activities •Judicial and administrative hearings •Law enforcement purposes •Decedents (funeral directors, coroners) •Organ, eye, tissue donation •Research •Serious threat to health or safety •Essential government functions •Workers' Compensation (as required by law)
Exceptions to Patient Rights
•Copies may be denied if likely to endanger the life or physical safety of the individual or another person. •Amendments may be denied (and often are)
What are a Covered Entity's responsibilities?
•Disclose minimum necessary to complete the task -you do not need to disclose all pt's information to treat at all times
Is HIPAA a state or federal law?
•HIPAA is a federal floor and not a ceiling •States may have more restrictive privacy laws
What are a pt's rights in regards to their information?
•Inspect and obtain copies of medical records. •Amend information the patient believes is incorrect subject to organizational approval. •Accounting of disclosures other than for treatment, payment or healthcare operations. (Reports required by state and federal laws: funeral homes, communicable diseases, vital statistics) •To request restrictions on what information is provided to others - exception if patient pays cash then information cannot be released to the insurance company. •To request that confidential communications are provided by a particular means or location - exception for emergencies.
HIPAA History
•Introduced by Senators Kennedy and Kassebaum to: -need standards to protect the privacy of patient records -streamlining of billing and reimbursement processes •Enacted on August 21, 1996 •Required Congress to pass regulations by August 21, 1999. •Department of Health and Human Services to develop regulations if Congress did not •Congress did not act. •52,000 public comments. •Effective date : April 14, 2001 •Implemented April 14, 2003
What are Reasonable efforts to protect PHI?
•Limiting access to electronic records •Auditing those who access electronic records •Shredding of documents •Conducting audits and surveys of physical security of PHI. •Screensavers •Fax cover sheets
Examples of PHI
•Name •Address •Age •Address •Telephone •Diagnosis •Treatment plans •Prognosis
Simple summary of what you need to know about HIPAA (2)
•Only access information you need to know to do your job. •Only tell others what they need to know to do their job. -A covered entity (you): • may not use or disclose PHI, except either: 1) as the Privacy Rule permits or requires; or 2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.
Ways a Covered Entity may discipline those who violate HIPAA
•Oral warning with retraining •Written warning with more retraining •Termination •Referral to law enforcement
What are appropriate disclosures?
•Patient or authorized representative •Other health care providers involved in treatment/referral •Obtain reimbursement •Health care entities for operations -Quality assurance and case management -Credentialing and accreditation -Training of student and residents •Informally if individual has opportunity to agree or object Facility directories Family members
How do Covered Entities protect PHI?
•Written policies and procedures •Designated privacy officers •Annual education •Business Associate Agreements with covered entities •Reasonable efforts to protect PHI •Providing each patient, a "Notice of Privacy Practices"
Reports required by state and federal laws
•funeral homes •communicable diseases •vital statistics