CCA Confidentiality and Privacy
An HIT, using her password, can access and change data in the hospital's master patient index. A billing clerk, using his password, cannot perform the same function. Limiting the class of information and functions that can be performed by these two employees is managed by ______.
Access control means being able to identify which employees should have access to what data.
Under the HIPAA privacy standard, which of the following types of protected health information (PHI) must be specifically identified in an authorization?
he distinction of psychotherapy notes is important due to HIPAA requirements that these notes may not be released unless specifically specified in an authorization.
The term minimum necessary means that healthcare providers and other covered entities must limit use, access, and disclosure to the minimum necessary to _____.
Accomplish the intended purpose. The Privacy Rule introduced the standard of minimum necessary to limit the amount of PHI used, disclosed, and requested. This means that healthcare providers and other covered entities must limit uses, disclosures, and requests to only the amount needed to accomplish the intended purpose.
Which of the following ethical principles is being followed when an HIT professional ensures that patient information is only released to those who have a legal right to access it?
Beneficence
What is the legal term used to define the protection of health information in a patient-provider relationship?
Confidentiality is a legal ethical concept that establishes the healthcare provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure.
The HIM manager is concerned about whether the data transmitted across the hospital network is altered during the transmission. The concept that concerns the HIM manager is __________.
Data integrity services ensure the data are not altered as they are stored or transmitted electronically.
Deidentified information is what?
Deidentified information is information that does not identify an individual; essentially it is information from which personal characteristics have been stripped.
The formal proceeding, where the oral testimony of a party to a lawsuit, including plaintiff, defendant and other relevant witnesses, is known as __________.
Deposition. A healthcare organization involved in litigation will involve fact-finding. Discovery is a pre-trial stage that includes the deposition of oral testimonies of parties to the lawsuit.
An employee in the physical therapy department arrives early every morning to snoop through the clinical information system for potential information about neighbors and friends. What security mechanisms should be implemented to prevent this security breach?
Information access controls
The number that has been proposed for use as a unique patient identification number but is controversial because of confidentiality and privacy concerns is the _____.
It is generally agreed that social security numbers (SSNs) should not be used as patient identifiers.
Exceptions to the consent requirement include _____.
Medical emergencies, law permits a presumption of consent during emergency situations, regardless of whether the patient is an adult or a minor.
To comply with HIPAA, under usual circumstances, a covered entity must act on a patient's request to review or copy his or her health information within ________ days.
No later than 30 days after the request is made.
A hospital receives a valid request from a patient for copies of his or her medical records. The HIM clerk who is preparing the records removes copies of the patient's records from another hospital where the patient was previously treated. According to HIPAA regulations, was this action correct?
No; the records from the previous hospital are considered part of the designated record set and should be given to the patient. Designated record set includes health records that are used to make decisions about the individual.
The right of an individual to keep information about himself or herself from being disclosed to anyone is a definition of __________.
Privacy is the right of an individual to be left alone. It includes freedom from observation or intrusion into one's private affairs and the right to maintain control over certain personal and health information.
The CIA of security includes confidentiality, data integrity, and data ________.
Security measures not only provide for confidentiality, but data integrity and data availability.
Which of the following is a direct command that requires an individual or a representative of an organization to appear in court or to present an object to the court?
Subpoena
Which document directs an individual to bring originals or copies of records to court?
Subpoena duces tecum is a written document directing individuals or organizations to furnish relevant documents and records.
A well-informed patient will know that the HIPAA Privacy Rule requires that individuals be able to _____.
The HIPAA Privacy Rule provides patients with rights that allow them to have some control over their health information: right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations.
The Uniform Health Care Decisions Act ranks the next-of-kin in the following order for medical decision-making purposes _____.
The UHCDA suggests that decision-making priority for an individual's next-of-kin be as follows: Spouse, adult child, parent, adult sibling, or if no one is available who is so related to the individual, authority may be granted to "an adult who exhibited special care and concern for the individual".
True or False? A business associate agreement allows the business associate to maintain PHI indefinitely.
The agreement between the covered entity and business associate should, at termination of the contract, require the business associate to return or destroy all PHI received from the covered entity that it still maintains and prohibit the associate from retaining it. False
True or false? Consent for use and disclosure of information must be obtained from every patient.
Under the Privacy Rule, healthcare providers are not required to obtain patient consent to use or disclose personally identifiable information for treatment, payment, or healthcare operations. False
What penalties can be enforced against a person or entity that willfully and knowingly violates the HIPAA Privacy Rule with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm?
When a person or entity willfully and knowingly violates the HIPAA Privacy Rule, a fine of not more than $250,000, not more than 10 years in jail, or both may be imposed.
What should a hospital do when a state law requires more stringent privacy protection than the federal HIPAA privacy standard?
When a state law is more stringent than a federal law, hospitals must comply with both.
Which of the following is a threat to data security?
Access Controls. Regardless of state laws, every person or organization is subject to HIPAA and must comply with it. The law supersedes state law.
All states have laws that require __________.
Disclosure of health information, even if patient authorizes it, Reporting of births and deaths, Reporting of suspected child abuse or neglect. Regardless of state laws, every person or organization is subject to HIPAA and must comply with it. The law supercedes state law.
The Federal Rules of Civil Procedure (FRCP) incorporated the pre-trial process through the creation of what?
E-Discovery. It is the same pretrial process as discovery, the electronic health record has promoted this concept.
Written or spoken permission to proceed with care is classified as _____.
Expressed consent can be spoken or written.
The release of information function requires the HIM professional to have knowledge of __________.
Federal and state confidentiality laws. federal regulations such as HIPAA and state laws govern the release of health record information, HIM department personnel must know what information needs to be included on the authorization for it to be considered valid.
A patient requests copies of her personal health information on CD. When the patient goes home, she finds that she cannot read the CD on her computer. The patient then requests the hospital to provide the medical records in paper format. How should the hospital respond?
The covered entity must provide access to the personal health information in the form or format requested when it is readily producible in such form or format. When it is not readily producible in the form or format requested, it must be produced in a readable hard-copy form or such other form or format agreed upon by the covered entity and the individual.
The HIPAA Privacy Rule requires that covered entities must limit use, access, and disclosure of PHI to only the amount needed to accomplish the intended purpose. What concept is this an example of?
The standard of minimum necessary means that healthcare providers and other covered entities must limit uses, disclosures, and requests to only the amount needed to accomplish the intended purpose.
The Medical Record Committee is reviewing the privacy policies for a large outpatient clinic. One of the members of the committee remarks that he feels the clinic's practice of calling out a patient's full name in the waiting room is not in compliance with HIPAA regulations and that only the patient's first name should be used. Other committee members disagree with this assessment. What should the HIM director advise the committee?
There is no HIPAA violation for announcing a patient's name, but the committee may want to consider implementing practices that might reduce this practice.
What is not true of notices of privacy practices?
They must contain content that may not be changed. The notice of privacy includes a statement that the covered entity reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains.
