CDEO - Chapter 2

Availability

"___" means ePHI is accessible and usable on demand by an authorized person.

Health Insurance Portability and Accountability Act of 1996

(HIPAA)

dated, timed, authenticated

All entries in the medical record must be ____, _____, _______, in written or electronic form, by the person responsible for providing or evaluating the service provided.

legible

All entries in the medical record must be _____.

complete

All entries in the medical record must be ______.

HIPAA

Under _______, electronic transactions must use the adopted standard and adhere to the content and format requirements of ASC X12N or NCPDP (used for certain pharmacy transactions) for each transaction. An additional rule was adopted to standardize the code sets for diagnoses and procedures. These code sets include: HCPCS (Healthcare Common Procedure Coding System—ancillary services and procedures); CPT® (Current Procedural Terminology—physician's procedures); CDT® (Current Dental Terminology—dental procedures); ICD-9 (International Classification of Diseases-9th revision— diagnosis and inpatient hospital procedures); ICD-10 (International Classification of Diseases-10th Revision, which replaced ICD-9 on October 1, 2015); and NDC (National Drug Codes).

unique identifier

In addition to the standardization of the codes used to request payment for medical services, a _______ for employers and providers must be used on all transactions.

copies, psychotherapy, legal, lab, research

In most cases, individuals have the right to review and obtain ______ of their protected health information; however, there are exceptions to the type of information that may be released. Areas excluded from the rights of access are: _______ notes, information related to _____ proceedings, and certain ____ results or information held by ______ laboratories.

individually identifiable health information

Protected health information is "__________." It includes many common identifiers, such as 1.) demographic data 2.) name 3.) address 4.) birth date 5.) Social Security number It also includes information that relates to 1.) an individual's past, present, or future physical or mental health or condition; 2.) the provision of healthcare to the individual; or 3.) the past, present, or future payment for the provision of healthcare to the individual, which reasonably may be used to identify an individual.

HITECH

The ______ enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, also specifies that an organization that provides data transmission of PHI to a covered entity and that requires access to PHI routinely, such as a Health Information Exchange Organization, will be treated as a business associate.

Department of Justice

The ______ is responsible for criminal prosecutions under the Privacy Rule.

Privacy Rule

The ______ requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.

integrity

Under the Security Rule, "_____" means ePHI is not altered or destroyed in an unauthorized manner.

safeguards

Use appropriate ________, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement

business, size, resources

What is appropriate for a covered entity will depend on the nature of the covered entity's ______, as well as the covered entity's ____ and ______.

entire

When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the ______ medical record for a particular purpose, unless it can specifically justify the record as the amount reasonably needed for that purposeTo strike a balance between the individual interest and public interest for specific protected health information

optional, instructions

Words or phrases contained in brackets are intended as either _____ language or as ______ to the users of these sample provisions.

All

____ covered entities are required to follow the Privacy Rule.

minimum necessary

The _____ standard is a key protection of HIPAA Privacy Rule

Technical Safeguards

1.) Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access ePHI. 2.) Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI. 3.) Integrity Controls: A covered entity must implement policies and procedures to ensure ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm ePHI has not been improperly altered or destroyed. 4.) Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to ePHI being transmitted over an electronic network.

Physical Safeguards

1.) Facility Access and Control: A covered entity must limit physical access to its facilities while ensuring authorized access is allowed. 2.) Workstation and Device Security: A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal,

medical record, written

A ______ is a repository for an individual's health information and is kept for planning patient care and providing ______ communication to all involved in providing patient care. The information may include information from a nurse, physician, dentist, chiropractor, psychiatrist, or other healthcare provider.

contract

A _______ is required between business associates to impose specified written safeguards on the individually identifiable health information used or disclosed by the business associate. It must describe the permitted and required uses of protected health information by the business associate, limit the business associate from using or further disclosing the protected health information (except where permitted by

covered entity

A _______ is required to develop and implement policies and procedures to reasonable limit uses and disclosures to the minimum necessary

limited data set

A ________ is protected health information from which certain specified direct identifiers have been removed. Limited data sets may be used for research, healthcare operations, and public health purposes, as long as there is an agreement with promised safeguards in place for the protected health information.

can

A covered entity ____ be a business associate of another covered entity.

permits, writing

A covered entity may not use or disclose protected health information unless the Privacy Rule _____ it or as the individual authorizes in _____.

willful neglect, 30

A covered entity will not receive a penalty if the failure to comply was not due to ____ neglect and was corrected within ___ days of identification that the error occurred; or, if the Department of Justice imposed a criminal penalty. Penalties can be reduced at the discretion of OCR if the failure to comply was due to reasonable cause, and the penalty would be excessive based on the nature and extent of the noncompliance.

plan

A healthcare provider will send a claim to a health _____ to request payment for the medical services he or she provides.

identify, support, justify

A medical record is considered complete if it contains sufficient information to ______ the patient; _____ the diagnosis/condition; _____ the care, treatment, and services; document the course and results of care, treatment, and services; and promote conti-

each

A privacy practice notice must be provided by ______ covered entity and must contain certain elements to notify individuals as to how the covered entity will use and disclose the individual's protected health information. The notice must clearly explain the covered entity's obligation to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The covered entity must also inform the patient of his or her individual rights, and the steps to follow (including a point of contact for further information) if an individual feels his or her privacy rights have been violated.

providers

All healthcare ________ who electronically transmit health information through certain transactions are covered entities. Some examples of transactions that may be submitted electronically are claim forms, inquiries about the eligibility of benefits, and requests for authorization of referrals. Simply using electronic technology, such as sending emails, does not mean a healthcare provider is a covered entity; the transmission must be in connection with a standard transaction. The rule applies to all, regardless of whether they transmit the transactions directly, or use a billing service or other third party to transmit on their behalf. They are defined as providers of services, such as hospitals, and providers of medical or health services, such as physicians, dentists, and other practitioners who furnish, bill, or receive payment for healthcare.

privacy notice, first

Beginning April 14, 2003 HHS said a distribution of the ______ must be provided to individuals promptly when there is a direct treatment relationship with the individual and a covered healthcare provider. The rule indicates the notice must be provided Not later than the ____ service encounter by personal delivery of patient services, electronically or through mail; By posting the notice in a clear and prominent place that can be easily seen by people seeking services; and In emergent situations, the notice must be furnished when the emergency has abated.

use, disclose

Business associate may ____ or _____ protected health information as required by law.

August 14, 2002

Congress did not enact privacy legislation within the specified time governed by HIPAA. The U.S. Department of Health and Human Services (HHS) developed a proposed rule, which was released for comment on November 3, 1999. Many comments were received, and modifications were made to the rule. The modifications were published and released in final form on ______.

request

Covered entities are also required to supply a notice to anyone upon ______ whether direct or indirect treatment was provided. In addition, covered entities must also make their privacy notices available electronically on any website main- tained for customer service or benefits information.

plans, clearinghouses, provider

Covered entities are defined as health _____, healthcare ________, and any healthcare _________ who transmits health

OCR

Covered entities failing to comply and cooperate with any investigation initiated by ____ may be subject to civil money penalties. The penalties will vary significantly, depending on factors ranging from the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the failure was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.

charge

Covered entities may ______ a reasonable fee for providing such information.

privacy rule

Covered entities may not contractually authorize a business associate to make any use or disclosure of protected health information that would violate the _______

knowingly

Criminal penalties are imposed when a person _______ obtains or discloses individually identifiable health information in a way that violates the Privacy Rule. The penalties begin at $50,000 and up to one- year imprisonment and increase to $100,000 and up to fiveyears imprisonment if the conduct involved false pretenses; or, as much as $250,000 and up to 10 years imprisonment if the conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.

health plans

Fully insured group _______ have only two obligations: (1) banned from retaliatory acts and waiver of individual rights, and (2) to provide documentation for the disclosure of protected health information through documentation. HHS, Office of Civil Rights (OCR) is responsible for administering and enforcing the standards set forth in the Privacy Rule and may conduct complaint investigations and compliance reviews.

labs, medications, operations, lifestyle

Details within the medical record may include information about medical history (____ test performed, ______ prescribed, information about ______, and/or details about ______, family medical history, etc.).

100, 25,000

For violations occurring prior to 2/18/2009, the penalty amount is up to $___ per violation, with a calendar year cap of $_______. For violations occurring on or after 2/18/2009, the penalty amount ranges from $100 to $50,000 or more, per violation, with a calendar year cap of $1,500,000.

administrative

HHS has created ______ requirements for covered entities. They realize that the size of covered entities can vary greatly; there is some flexibility and scalability built into the rule to allow analysis of each entity's needs, and to implement the required rules appropriately. Those requirements that must be followed are: All covered entities must have written privacy policies that comply with the Privacy Rule. 2.) A privacy official must be designated to be responsible for developing and implementing privacy policies and procedures and be the contact person for individuals with questions or concerns regarding the privacy practices.3.) All members of a covered entity's workforce (employees, volunteers, and trainees) must be trained on the covered entity's privacy policies. Appropriate sanctions must be applied to a workforce member who violates any area of the privacy rules. 4.) Covered entities are required to mitigate any harmful effect that may have been caused by inappropriate use or disclosure of protected health information that was caused by its workforce or business associates. 5.) Procedures must be in place to allow an individual to complain about a covered entity's compliance with their privacy policies. 6.) A covered entity may not retaliate against a person for exercising his or her rights provided by the Privacy Rule or require an individual to waive any right to obtain healthcare services. 7.) Privacy policies must be maintained by covered entities for six years, after the later of the date of their creation, or last effective date.

administrative, physical, technical

HHS provides the following summary detail for each of these three safeguards. 1.) _____ 2.) _____ 3.) _____

Administrative Simplification

HIPAA _______ provisions required that sections of the law be publicized to explain the standards for the electronic exchange, privacy, and security of health information.

Kennedy-Kassebaum

HIPAA aka as ______ bill, was originally enacted to provide rights and protections for participants and beneficiaries of group health plans. Under this law, exclusions for preexisting conditions were limited, and discrimination against employees and dependents based on their health status were prohibited.

Fraud, Abuse

HIPAA also established the Healthcare _____ and _____ Control Program, a far-reaching program in healthcare, including both public and private health plans to combat both

August 21, 1996

HIPAA was enacted on _________.

Health Information Technology for Economic and Clinical Health Act

HITECH

plan

Health ______ covered entities are organizations that pay providers on behalf of an individual receiving medical care. These plans include health, dental, vision, and prescription drug insurers. Some examples include health maintenance organizations (HMOs), Medicare, Medicaid,

new member enrollment, three, named insurer

Health plans are required to distribute their privacy policy notices upon ________. They are also required to send a reminder to their enrollees every ____ years, letting the enrollees know that the notice is available upon request. The requirement does indicate the health plan is only obligated to send the information to the "______" (subscriber for coverage).

clearinghouses

Healthcare ________ include billing services, repricing companies, and community health management information systems that process nonstandard information, received from another entity, into a standard (ie, standard format or data content) or vice versa. In most instances, healthcare clearinghouses receive individually identifiable information for processing services to a health plan or healthcare provider as a business associate. In these cases, only certain provisions are applicable to the clearinghouses' uses and disclosures of protected health information.

reasonable, health and human services office for civil rights

If a covered entity identifies a material breach or violation of the contract or agreement, _________ steps must be taken to cure the breach or end the violation. If not possible, the contract must be terminated, and the problem reported to the Department of __________

accounting

Maintain and make available the information required to provide an _____ of disclosures to the [Choose either "covered entity" or "individual"] as necessary to satisfy covered entity's obligations under 45 CFR 164.528;

protected health information

Not use or disclose __________ other than as permitted or required by the Agreement or as required by law

medical errors, adverse

Orders, progress notes, nursing notes, or other entries in the medical record that are not legible may be misread or misinterpreted and may lead to _____ or other ______ patient events.

three

The HIPAA Security Rule is comprised of _____ levels of safeguards: 1. Administrative safeguards: These safeguards address your operations. They include assigning responsibility to someone for security and having policies and proce- dures in place to direct your security efforts. 2. Physical safeguards: These safeguards include locks and keys, where computers are located, how electronic media are disposed of, and generally how to make the environment safe. 3. Technical safeguards: These safeguards are controls directly applied to information systems. They identify who may have access to information systems, provide access to sets of data and specific functions in systems, audit persons who have used the systems, and protect the systems from malicious software.

12

The Privacy Rule permits use and disclosure of this information without an individual's authorization or permission through public interest and benefit activities. There are 12 national priority purposes: Required by law, Public health activities, Victims of abuse, neglect, or domestic violence, Health oversight activities, Judicial and administrative proceedings, Law enforcement purposes, Decedents (Funeral directors or medical examiners), Cadaveric organ, eye, or tissue donation, Research, Serious threat to health or safety, Essential government functions, Workers' compensation

requests, HHS

The Privacy Rule requires that a covered entity must disclose protected health information to an individual when he or she _____ his or her own information, or to ____ when it is investigating for compliance, review, or enforcement action.

flexible, comprehensive

The Privacy Rule was designed to be ______ and ______, to allow for the various uses and disclosures the healthcare community must address.

good faith, signatures, emergent

The Privacy rule indicates a healthcare provider must make a ______ effort to obtain written acknowledgement from patients that the patients have received the privacy practices notice. It does not outline specific content requirements; however, most covered entities ask for _____ from individuals, indicating the individual was provided a copy of the notice. Receipt of acknowledgement is relieved in ______ situations.

integrity, availability

The Security Rule also promotes the ____ and _____ of ePHI.

confidentiality

The Security Rule defines "________" to mean ePHI is not available or disclosed to unauthorized persons.

flexible, scalable

The Security Rule is ____ and _____ to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments.

time, date

The ____ and ____ of each entry (orders, reports, notes, etc.) must be accurately documented.

Privacy Rule, covered, healthcare provider, sponsor, plan

The _______ includes exceptions to the business associate standard, which DO NOT REQUIRE a ______ entity to have a written agreement in place prior to disclosing protected health information. Examples include: ________ for treatment of the individual, such as: 1.) hospital referring a patient to a specialist and transmitting the patient's medical chart for treatment purposes 2.) A physician sending specimens to a lab for analysis 3.) A hospital lab sending specimens to a reference lab for analysis. Disclosures to a health plan ______, such as an employer, by a group health plan that provides the health insurance benefits or coverage for the group health plan. The collection and sharing of protected health information by a health _____ that is a public benefits program, such as Medicare.

Privacy Rule

The _______ standards address how an individual's protected health information (PHI) may be used. Its purpose is to protect individual

Security Rule's

The ________ confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.

HIPAA

The following terms used in this Agreement shall have the same meaning as those terms in the _____ Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Healthcare Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

HIPAA Privacy Rule

The minimum necessary standard is a key protection of __________

de-identified

There are no restrictions on the use of _____ health information. This type of information may be used for multiple purposes because when the protected health information is removed, a reasonable basis does not exist to identify an individual.

safety, quality of care

Timing and dating entries are necessary for patient ____ and _______.

baseline

Timing and dating of entries establish a _____ for future actions or assessments and established a timeline of events.

protected health information

To be considered a business associate, the persons or organizations would involve the use or disclosure of ________ between the two parties.

Permitted

____ uses and disclosures of protected health information allow a covered entity to use and disclose certain information without an individual's authorization in the following situations: 1. To the individual who is the subject of the information. 2. Protected health information may be used by a covered entity for treatment, payment, and healthcare operation activities. 3. The individual may grant informal permission by being asked outright, giving them the opportunity to agree or object in circumstances where the individual is not capable of providing his or her signature. Covered entities are expected to use their judgment in situations where the patient is incapacitated, or the covered entity is not available to provide the care that is in the best interest of the patient. 4. Incidental use and disclosure is permitted, as long asthe covered entity has reasonable safeguards in place to ensure that the information being shared is limited to the "minimum necessary," as required by the Privacy Rule.

HHS

_____ issued a privacy rule to set a national standard for the protection of certain health information.

HIPAA

_____ regulations standardized transactions for Electronic Data Interchange (EDI) of healthcare data. These transactions are: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits, and premium payment.

Risk analysis

_____ should be an ongoing process in which a covered entity regularly reviews records to track access to ePHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly re-evaluates potential risks to ePHI. Processes include: Security Management: A covered entity must analyze potential risks to ePHI and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. 2.) Security Personnel: A covered entity must designate a security official who is responsible for developing and implementing security policies and procedures. 3.) Information Access Management: Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient's role (role-based access). 4.) Workforce Training and Management: A covered entity must provide appropriate authorization and supervision of workforce members who work with ePHI. A covered entity must train all workforce members regarding its security policies and procedures and adopt and apply appropriate sanctions against workforce members who violate its policies and procedures. 5.) Evaluation: A covered entity must perform a periodic assessment of how well security policies and procedures meet the requirements of the Security Rule.

Timing

______ establishes when an order was given, when an activity happened or when an activity is to take place.

Business Associate

______ shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and in reference to the party to this agreement

Policies, Procedures, and Documentation

_______ Requirements: This requires covered entities to implement reasonable and appropriate policies and procedures to comply with the standards.

Healthcare providers

_______ are required to maintain complete and accurate medical records for all services they perform. These requirements are generally enforced through licensing, the certification process, or credentialing with insurance carriers

Business

_______ associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

Transactions

_______ occur through electronic exchanges, which allow information to be transferred between two parties for specific purposes.

Business associates

_______ perform certain functions or activities, which involve the use or disclosure of individually identifiable health information, on behalf of another person or organization, without being a member of the entity's workforce. These services include claims processing or administration, data analysis, utilization review, billing, benefit management, and re-pricing.

HIPAA

_______ shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

Organizational

________ Requirements: These include business associate contracts or other arrangements where covered entities and business partners are required contractually to follow the organization's Security Rules.

Business associate

________ agrees to make uses and disclosures and requests for protected health information [Option 1] consistent with covered entity's minimum necessary policies and procedures. [Option 2] subject to the following minimum necessary requirements: [Include specific minimum necessary provisions that are consistent with the covered entity's minimum necessary policies and procedures.]

HIPAA security

________ regulations adopted administrative, technical, and physical safeguards necessary to prevent unauthorized access to PHI. The standards, in effect for all covered entities since April 20, 2006, are designed to protect the confidentiality, integrity, and availability of ePHI a covered entity creates, receives, maintains, or transmits. The intent is to identify and protect against reasonably anticipated threats to the security or integrity of the information and protect against reasonably anticipated impermissible uses and disclosures.

report

________ to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;

subcontractors

ensure that any _______ that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;