Chapter 9 - Data Privacy and Confidentiality
Confidentiality
1. A legal and ethical concept that establishes the health care provider's responsibility for protecting health records and other personal and private information from unauthorized use or disclosure 2. As amended by HITECH, the practice that data or information is not made available or disclosed to unauthorized persons or processes (45 CFR 164.304 2013)
Consent
1. A patient's acknowledgement that he or she understands a proposed intervention, including that intervention's risks, benefits, and alternatives 2. The document signed by the patient that indicates agreement that protected health information (PHI) can be disclosed
Business associate (BA)
1. A person or organization other than a member of a covered entity's workforce that performs functions or activities on behalf of or affecting a covered entity that involve the use or disclosure of individually identifiable health information 2. As amended by HITECH, with respect to a covered entity, a person who creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services (45 CFR 160.103 2013)
Authorization
1. As amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508 2. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with the authorization (45 CFR 164.508 2013)
Subpoena
A command to appear at a certain time and place to give testimony on a certain matter
Legal hold
A communication issued because of current or anticipated litigation, audit, government investigation, or other such matters that suspend the normal disposition or processing of records. Legal holds can encompass business procedures affecting active data, including, but not limited to, backup tape recycling. The specific communication to business or IT organizations may also be called a "hold", "preservation order", "suspension order", "freeze notice", "hold order", or "hold notice"
Facility directory
A directory of patients being treated in a healthcare facility
Warrant
A judge's order that authorizes law enforcement to seize evidence and conduct a search
Deposition
A method of gathering information to be used in a litigation process
Privacy officer
A position mandated under the HIPAA Privacy Rule- covered entities must designate an individual to be responsible for developing and implementing privacy policies and procedures
Business records exception
A rule under which a record is determined not to be hearsay if it was made at or near the time by, or from information transmitted by, a person with knowledge; it was kept in the course of a regularly conducted business activity; and it was the regular practice of that business activity to make the record
Subpoena ad testifcandum
A subpoena that seeks testimony
Hearsay
A written or oral statement made outside of court that is offered in court as evidence
Subponea duces tecum
A written order commanding a person to appear, give testimony, and bring all documents, papers, books, and records described in the subpoena. The devices are used to obtain documents during pretrial discovery and to obtain testimony during trial
Sale of information
Addressed specifically by ARRA, which prohibits a covered entity or BA from selling (receiving direct or indirect compensation) in exchange for an individual's PHI without that individual's authorization; the authorization must also state whether the individual permits the recipient of the PHI to further exchange the PHI for compensation
Right of access
Allows an individual to inspect and obtain a copy of his or her own PHI contained within a designated record set, such as a health record
Federal Trade Commission (FTC)
An independent federal agency tasked with dealing with two areas of economics in the United States: consumer protection and issues having to do with competition in business
Right to request restrictions of PHI
An individual can request that a covered entity restrict the uses and disclosures of PHI to carry out treatment, payment, or healthcare operations
Right to request accounting of disclosures
An individual has the right to receive an accounting of certain disclosures made by a covered entity
Court Order
An official direction issued by a court judge and requiring or forbidding specific parties to perform specific actions
Covered entity (CE)
As amended by HITECH, (1) a health plan, (2) a health care clearinghouse, (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this sub-chapter (45 CFR 160.103 2013)
Business associate agreement (BAA)
As amended by HITECH, a contract between the covered entity and a business associate must establish the permitted and required uses and disclosures of protected health information by the business associate and provides specific content requirements of the agreement. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of HIPAA, and requires termination of the contract if the covered entity or business associate are aware of noncompliant activities of the other (45 CFR 164.504 2013)
Breach notification
As amended by HITECH, a covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach (45 CFR 164.404 2013)
Notice of privacy practices
As amended by HITECH, a statement (mandated by the HIPAA Privacy Rule) issued by a healthcare organization that informs individuals of the uses and disclosures of patient-identifiable health information that may be made by the organization, as well as the individual's rights and the organization's legal duties with respect to that information (45 CFR 164.520 2013)
Administrative simplification
As amended by HITECH, authorizes HHS to: (1) adopt standards for transactions and code sets that are used to exchange health data; (2) adopt standard identifiers for health plans, health care providers, employers, and individuals for use on standard transactions; and (3) adopt standards to protect the security and privacy of personally identifiable health information (45 CFR Parts 160, 162, and 164 2013)
Workforce
As amended by HITECH, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate
Protected health information (PHI)
As amended by HITECH, individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information (i) in education records covered by the Family Educational Rights and Privacy Act, as amended 20 USC 1232g; (ii) in records described at 20 USC 1232g(a)(4)(B)(iv); (iii) in employment records held by a covered entity in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years (45 CFR 160.103 2013
Individually identifiable health information
As amended by HITECH, information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual (45 CFR 160.103 2013)
Marketing
As amended by HITECH, means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, or where the covered entity receives financial remuneration in exchange for making communication (45 CFR 164.501 2013)
Disclosure
As amended by HITECH, the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information (45 CFR 160.103 2013)
Use
As amended by HITECH, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information (45 CFR 160.103 2013)
Designated record set (DRS)
As amended by HITECH: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals (2) For purposes of this paragraph, the term means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity (45 CFR 164.501 2013)
Red Flags Rule
Consists of five categories of red flags that are used as triggers to alert the organization to a potential identity theft; the categories are: (1) alerts, notifications, or warnings from a consumer reporting agency; (2) suspicious documents; (3) suspicious personally identifying information such as a suspicious address; (4) unusual use of, or suspicious activity relating to, a covered account; (5) Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account
Metadata
Descriptive data that characterize other data to create a clearer understanding of their meaning and to achieve greater reliability and quality of information. Metadata consist of both indexing terms and attributes. Data about data: for example, creation date, date sent, date received, last access date, last modification date
Interrogatories
Discovery devices consisting of a set of written questions given to a party, witness, or other person who has information needed in a legal case
Clinical Laboratory Improvement Amendments (CLIA) of 1988
Established quality standards for all laboratory testing to ensure the accuracy, reliability, and timeliness of patient test results regardless of where the test is (Public Law 90-174-1967)
Right to request confidential communications
Healthcare providers and health plans must give individuals the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method
Preemption
In law, the principle that a statute at one level supersedes or is applied over the same or similar statute at a lower level (for example, the federal HIPAA privacy provisions trump the same or similar state law except when state law is more stringent)
Complaint
In litigation, a written legal statement from a plaintiff that initiates a civil lawsuit
Fundraising
In these activities that benefit the covered entity, the covered entity may use or disclose to a BA or an institutionally related foundation, without authorization, demographic information and dates of healthcare provided to an individual
Deidentified information
Information where personal characteristics have been stripped from it in such a way that it cannot be later constituted or combined to re-identify an individual; it is commonly used in research
Fair and Accurate Credit Transactions Act
Law passed in 2003 that contains provisions and requirements to reduce identity theft (Public Law 108-159 2003)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Legislation created to promote the adoption and meaningful use of health information technology in the United States. Subtitle D of the Act provides for additional privacy and security requirements that will develop and support electronic health information, facilitate information exchange, and strengthen monetary penalties. Signed into law on February 17, 2009, as part of ARRA (Public Law 111-5 2009)
Right to request amendment
One may request that a covered entity amend PHI or a record about the individual in a designated record set
Personal representative
Person with legal authority to act on a patient's behalf
E-discovery
Refers to Amendments to Federal Rules of Civil Procedure and Uniform Rules Relating to Discovery of Electronically Stored Information; wherein audit trails, the source code of the program, metadata, and any other electronic information that is not typically considered the legal health record is subjected to motion for compulsory discovery
Access report
Report that provides a list of individuals who accessed patient information during a given period
Minimum necessary standard
Requires that uses, disclosures, and requests must be limited to only the amount needed to accomplish an intended purpose
Federal Rules of Evidence (FRE)
Rules established by the US Supreme Court guiding the introduction and use of evidence in federal court proceedings that are an important benchmark for state and other courts. FRE governs what and how electronic records may be used, and the roles of record custodianship
Federal Rules of Civil Procedure (FRCP)
Rules established by the US Supreme Court setting the "rules of the road" and procedures for federal court cases. FRCP include electronic records and continue to be very important as benchmarks in how these records can be used in courts, not only federal, but state and other courts as well
Treatment, payment, and operations (TPO)
The Privacy Rule provides a number of exceptions for PHI that is being used or disclosed for TPO purposes; treatment means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers; payment includes activities by a health plan to obtain premiums, billing by healthcare providers or health plans to obtain reimbursement, claims management, claims collection, review of the medical necessity of care, and utilization review; the Privacy Rule provides a broad list of activities that are healthcare operations that includes quality assessment and improvement, case management, review of healthcare professionals' qualifications, insurance contracting, legal and auditing functions, and general business management functions such as providing customer service and conducting due diligence
Spoliation
The act of destroying, changing, or hiding evidence intentionally
Department of Health and Human Services (HHS)
The cabinet-level federal agency, and principal agency for protecting the health of all Americans and providing essential human services, especially for those who are least able to help themselves
Admissibility
The condition of being admitted into evidence in a court of law
Health Insurance Portability and Accountability Act (HIPAA)
The federal legislation enacted to provide continuity of health coverage, control fraud, and abuse in healthcare, reduce healthcare costs, and guarantee the security and privacy of health information; limits exclusion for pre-existing medical conditions, prohibits discrimination against employees and dependents based on health status, guarantees availability of health insurance to small employers, and guarantees renewability of insurance to all employees regardless of size; requires covered entities (most healthcare providers and organizations to transmit healthcare claims in a specific format and to develop, implement, and comply with the standards of the Privacy Rule and the Security Rule; and mandates that covered entities apply for and utilize national identifies in HIPAA transactions (Public Law 104-191 1996)
Privacy Rule
The federal regulations created to implement the privacy requirements of the simplification subtitle of the Health Insurance Portability and Accountability Act of 1996; effective in 2002; afforded patients certain rights to and about their protected health information
Medical identity theft
The fraudulent use of an individual's identifying information in a healthcare setting
Individual
The person who is the subject of the protected health information
Discovery
The pretrial stage in the litigation process during which both parties to a suit use various strategies to identify information about the case, the primary focus of which is to determine the strength of the opposing party's case
Office of the National Coordinator for Health Information Technology (ONC)
The principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. The position of National Coordinator was created in 2004, through an Executive Order, and legislatively mandated in the HITECH Act of 2009
Release of information (ROI)
The process of disclosing patient-identifiable information from the health record to another party
American Recovery and Reinvestment Act (ARRA)
The purposes of this act include the following: (1) To preserve and create jobs and promote economic recovery. (2) To assist those most impacted by the recession. (3) To provide investments needed to increase economic efficiency by spurring technological advances in science and health. (4) To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases
Privacy
The quality or state of being hidden from, or undisturbed by, the observation or activities of other persons, or freedom from unauthorized intrusion; in healthcare-related contexts, the right of a patient to control disclosure of protected health information
Breach
Under HITECH, the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part that compromises the security or privacy of the protected health information (45 CFR 164.402 2013)