chapter 9 Data Privacy and Confidentiality (review)

The law includes the Red Flags Rule, which consists of five categories of red flags that are used as triggers to alert the healthcare organization to a potential identity theft (16 CFR Part 681). The following are the five categories are:

1. Alerts, notifications, or warnings from a consumer reporting agency 2. Suspicious documents 3. Suspicious personally identifying information such as a suspicious address 4. Unusual use of, or suspicious activity relating to, a covered account 5. Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account

The three types of covered entities are the following:

1. Healthcare providers, but only those that conduct certain transactions (financial or administrative) electronically. Healthcare providers include hospitals, long-term care facilities, physicians, and pharmacies. 2. Health plans, which pay for the cost of medical care (for example, a health insurance company). 3. Healthcare clearinghouses, which process claims between a healthcare provider and payer (for example, an intermediary that processes a hospital's claim to Medicare to facilitate payment).

The PHI of deceased persons loses PHI status and is no longer protected by HIPAA after the individual has been deceased more than ______ years.

50

A valid authorization is one that contains at least the following elements:

A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure The name or other specific identification of the person(s), or class of persons, to whom the CE may make the requested use or disclosure An expiration date or event that relates to the individual or the purpose of the use or disclosure A statement of the individual's right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure (subsequent disclosure of health information) by the recipient and no longer protected by this rule Signature of the individual and date When the authorization is signed by a personal representative of the individual, a description of the representative's authority to act for the individual

DataSource is a business associate of Davis Health System. An individual who was a patient in the Davis Health System contacts DataSource, requesting an accounting of disclosures and stating that this is his right per the HIPAA Privacy Rule. DataSource: a. Does not have to respond to the patient because it is not a covered entity b. May refer the request to Davis Health System c. Does not have to respond to the patient because this is not a HIPAA individual right d. Must respond to the patient and provide an accounting of disclosures

d. Must respond to the patient and provide an accounting of disclosures

Which of the following describes HIPAA consents? a. They are the same as authorizations. b. They expire 60 days after they are executed. c. They are required under the Privacy Rule. d. They are not required to permit use and disclosure of PHI for treatment, payment, or operations.

d. They are not required to permit use and disclosure of PHI for treatment, payment, or operations.

What documentation must be maintained on all accounting of discloser requests?

including information included in the accounting of disclosure, the written accounting that was provided to the individual, and the titles of persons or offices responsible for receiving and processing requests for an accounting of disclosure.

The Privacy Rule defines _____________ as communication about a product or service that encourages the recipient to purchase or use that product or service

marketing

The ____________ standard requires that uses, disclosures, and requests be limited to only the amount needed to accomplish an intended purpose.

minimum necessary

Except for certain exceptions for health plans and inmates in correctional facilities, an individual has the right to a notice explaining how his or her PHI will be used and disclosed (45 CFR 164.520). This _____________ must also explain in plain language the patient's rights and the CE's legal duties with respect to PHI.

notice of privacy practices

Fundraising communications that meet the definition of healthcare operations must clearly and conspicuously provide the opportunity to ________ of future communications. This is called a revocation of authorization

opt out

According to state laws, what health information can be disclosed without patient authorization?

reporting of vital statistics (births and deaths) and other public health, safety, or welfare situations.

The Privacy Rule allows an individual the __________________________. With this right, one may request that a CE amend PHI or a record about the individual in a designated record set

right to request amendment

Healthcare providers and health plans must give individuals the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method (45 CFR 164.522(b)(1)). This is the ____________________.

right to request confidential communications

Related to the concept of marketing is the _____________ A CE or BA is prohibited from selling (receiving direct or indirect compensation in exchange for) an individual's PHI without that individual's authorization.

sale of information.

The Privacy Rule requires an accounting of all disclosures within the _____years prior to the date on which the accounting was requested.

six

ARRA has specified that, without final clarification of minimum necessary, CEs are to use:

the limited data set (PHI with certain specified direct identifiers removed) for using or disclosing only minimum necessary information, while reverting back to the amount needed to accomplish the intended purpose definition when the limited data set definition is inadequate

A ___________ consists not only of employees, but also volunteers, student interns, trainees, board of directors, and even employees of outsourced vendors who routinely work on-site in the CE's facility

workforce

HIPAA: Individual Rights—Access: Charges •Reasonable fee may be imposed

•Copying, including supplies and labor •Postage, when individual has requested information to be mailed •Preparation of an explanation summary, if agreed to by the individual in advance •Retrieval fee not permitted for patient requests •If costs not actually calculated or averaged for electronic PHI, OCR recommends $6.50 flat fee

The process of providing PHI access to individuals or entities deemed authorized to receive or review it Steps in the process:

•Enter request in ROI database •Determine validity of authorization •Verify patient's identity •Process the request

Right to complain of privacy rule violations

•Must inform individuals of right to complain at covered entity level and to the US Department of Health and Human Services

Probability of compromise determined by four-factor risk assessment:

•Nature and extent of PHI involved, including types of identifiers involved and how likely it is that re-identification can occur •Who the unauthorized recipient was •Whether the PHI was actually obtained or viewed •Degree to which covered entity or BA mitigated the risk

How are a business associate disclosures typically accounted for?

BAs make their own accounting disclosures. The CE is made responsible for making disclosures for their BAs

Some activities look like marketing but do not meet the Privacy Rule's definition of marketing. As a result, no authorization is required for the following:

Communications to describe health-related products and services provided by, or included in the plan of benefits of, the CE itself or a third party Communication for treatment of the individual Case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or care settings (45 CFR 164.501)

Before HIPAA was enacted, patient privacy protection laws had resided with the individual states. What happened as a result of this?

Inconsistent privacy protection for health information

_____________ is a crime that challenges healthcare organizations and the health information profession. A type of healthcare fraud that includes both financial fraud and identity theft involves either (a) the inappropriate or unauthorized misrepresentation of one's identity (for example, the use of one's name and Social Security number) to obtain medical services or goods, or (b) the falsifying of claims for medical services in an attempt to obtain money

Medical identity theft

PHI use or disclosure for marketing requires an authorization from the individual except in certain cases. The following marketing activities do not require authorization:

Occur face to face between the CE and the individual, or Concern a promotional gift of nominal value provided by the CE

____________ include quality assessment and improvement, case management, review of healthcare professionals' qualifications, insurance contracting, legal and auditing functions, and general business management functions such as providing customer service and conducting due diligence. They do not include marketing or fundraising activities.

Operations

The American Recovery and Reinvestment Act expanded the definition of business associates to include _____________.

PATIENT SAFETY ORGANIZTIONS

_____________includes activities by a health plan to obtain premiums, billing by healthcare providers or health plans to obtain reimbursement, claims management, claims collection, review of the medical necessity of care, and utilization review.

Payment

Management of the disclosure of health information function includes the following steps:

Step 1: Enter the request in the disclosure of health information database. Step 2: Determine the validity of authorization. Step 3: Verify the patient's identity. Step 4: Process the request

In which situations can a covered entity deny an individual access to PHI without providing him or her an opportunity to review or appeal the denial?

The PHI was compiled in anticipation of, or for use in, civil or criminal litigation. The CE is a correctional institution and an inmate's request for his or her PHI creates health or safety concerns. The PHI is maintained by a CE that is exempt from CLIA requirements.

Exceptions to breach definition:

•Unintentional acquisition, access or use of PHI by workforce member acting under authority of a covered entity or BA (information cannot be further used or disclosed in impermissible manner) •Inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity or BA to another person authorized to access PHI at the covered entity or BA (information cannot be further used or disclosed in impermissible manner) •If the covered entity or BA has good faith belief the unauthorized individual who received the PHI would not be able to retain the information

Individuals can be prosecuted for HIPAA violations Penalties apply to B A s Tiered penalties based on:

•Unknowing violations •Due to reasonable cause •Willful neglect (corrected) •Willful neglect (uncorrected)

Designated record set (DRS) Includes

•health records, billing records, and various claims records used to make decisions about an individual

___________means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers. For example, it includes caring for patients admitted to the hospital or coming for an appointment with a physician. This also includes healthcare provider consultations and referrals of the patient from one provider to another.

Treatment

________is how a healthcare organization avails itself of health information internally, such as a nurse reviewing a patient's health record.

Use

The CE may deny the request when it determines that the PHI or the health record did not comply with the following:

Was not created by the CE Is not part of the designated record set Is not available for inspection as noted in the regulation of access (for example, psychotherapy notes, inmate of a correctional institution, and so on) Is accurate or complete as is (45 CFR 164.526)

Per the Fair and Accurate Credit Transactions Act (FACTA), which of the following is not a red flag category? a. An account held by a person who is over 80 years old b. Warnings from a consumer reporting agency c. Unusual activity relating to a covered account d. Suspicious documents

a. An account held by a person who is over 80 years old

Medical identity theft includes: a. Using another person's name to obtain durable medical equipment b. Purchasing an EHR c. Purchasing surgical equipment d. Using another healthcare provider's national provider identifier to submit a claim

a. Using another person's name to obtain durable medical equipment

As a general requirement, the Privacy Rule states that an _____________ for uses and disclosures must be obtained from an individual

authorization

A valid authorization must contain all the following except: a. A description of the information to be used or disclosed b. A signature and stamp by a notary c. A statement that the information being used or disclosed may be subject to redisclosure by the recipient d. An expiration date or event

b. A signature and stamp by a notary

The use or disclosure of PHI for marketing: a. Always requires written authorization from the patient b. Does not require written authorization for face-to-face communications with the individual c. Requires written authorization from the patient when products or services of nominal value are introduced d. Never requires written authorization from the patient

b. Does not require written authorization for face-to-face communications with the individual

Treatment of an individual can be conditioned on the signing of the: a. Authorization b. HIPAA consent c. Notice of privacy practices d. Research waiver

b. HIPAA consent

The Privacy Rule extends to protected health information: a. In any form or medium, except paper and oral forms b. In any form or medium, including paper and oral forms c. That pertains to mental health treatment only d. That exists in electronic form only

b. In any form or medium, including paper and oral forms

Notices of privacy practices must be available at the site where the individual is treated and: a. Must be posted next to the entrance b. Must be posted in a prominent place where it is reasonable to expect that patients will read them c. May be posted anywhere at the site d. Do not have to be posted at the site

b. Must be posted in a prominent place where it is reasonable to expect that patients will read them

Business associate agreements are developed to cover the use of PHI by: a. The covered entity's employees b. Organizations outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity c. The covered entity's entire workforce d. The covered entity's janitorial staff

b. Organizations outside the covered entity's workforce that use PHI to perform functions on behalf of the covered entity

ARRA also added ________________requirements that specify victims of breaches be notified and, depending on the number of individuals affected, the federal government and media outlets also be notified.

breach notification

A ___________ is a person or organization other than a member of a CE's workforce that performs functions or activities on behalf of or for a CE that involves the use or disclosure of PHI

business associate (BA)

. Release of birth and death information to public health authorities: a. Is prohibited without patient consent b. Is prohibited without patient authorization c. Is a public interest and benefit disclosure that does not require patient authorization d. Requires both patient consent and authorization

c. Is a public interest and benefit disclosure that does not require patient authorization

One state's law protects the privacy of health information to a greater extent than HIPAA does. a. The state law will be preempted by HIPAA b. The state law is invalid because it does not provide the same level of protection as HIPAA c. The state law may supersede HIPAA d. The state's law must be consistent with HIPAA

c. The state law may supersede HIPAA

State attorneys general may bring_________in federal district court on behalf of residents believed to have been negatively affected by a HIPAA violation.

civil actions

A ___________is a person or organization that must comply with the HIPAA Privacy Rule.

covered entity (CE)

As a general rule, which of the following is a legally competent individual? a. A minor with a developmental disability b. An adult with a developmental disability c. A minor without a developmental disability d. A minor's personal representative

d. A minor's personal representative

The Privacy Rule applies to: a. Healthcare providers only b. Only healthcare providers that receive Medicare reimbursement c. Only entities funded by the federal government d. Covered entities and their business associates

d. Covered entities and their business associates

The privacy officer is responsible for all of the following except: a. Handling complaints about the covered entity's violations of the Privacy Rule b. Developing and implementing privacy policies and procedures c. Providing information about the covered entity's privacy practices d. Encrypting all electronic PHI

d. Encrypting all electronic PHI

An individual's authorization for research purposes: a. Is always required b. Is not required if the research involves a clinical trial c. Is never required d. Is not required if an IRB or privacy board alters or waives the authorization requirement

d. Is not required if an IRB or privacy board alters or waives the authorization requirement

___________ established tiered penalties, with a range of $100 to $50,000 per violation for unknowing violations; $1,000 to $50,000 per violation if due to reasonable cause (knew or would have known of violation with reasonable diligence); $10,000 to $50,000 per violation for willful neglect that was corrected; and $50,000 per violation for willful neglect that was uncorrected.

ARRA/HITECH

Standard privacy officer responsibilities include the following:

Development and implementation of privacy policies and procedures Promotion of organizational privacy awareness Performance of privacy risk assessments Maintenance of HIPAA-required forms and records Facilitation of privacy training sessions and maintenance of training records Compliance monitoring of BAs Protection of patient health information rights Knowledge of applicable laws and accreditation standards Receipt of complaints alleging HIPAA Privacy Rule violations Internal investigation of alleged HIPAA Privacy Rule violations Participation in breach notification analyses Reporting and mitigation of breaches Communication with OCR and other entities in compliance reviews and investigations

_________ is how health information is disseminated outside a healthcare organization. An example of this is providing patient information to an insurance company.

Disclosure

The federal _______________ requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft.

Fair and Accurate Credit Transactions Act (FACTA)

Under the Privacy Rule healthcare providers are not required to obtain _____________, to use or disclose PHI.

HIPAA consent

An authorization is considered invalid when any one of the following defects exists:

The expiration date has passed or the expiration event is known by the CE to have occurred The authorization has not been filled out completely The authorization is known by the CE to have been revoked The authorization lacks a required element (for example, appropriate signature) The authorization violates the compound authorization requirements, if applicable Any material information in the authorization is known by the CE to be false

Within each statutory range of a privacy legislation, how is the amount of a penalty determined for a single violation?

The nature and extent of both the violation and the harm determine the amount assessed within each statutory range.

What does right to request accounting of disclosures guarantee for the individual?

The right to receive an accounting of certain disclosures by a CE