"HIPAA"
So what is the point of HIPAA
-Makes it easier and more affordable for pele to obtain health insurance -Prohibits group health plans from denying or charging extra for coverage bc of persons past or present poor health -standardizes claims submitted electronically
Your patient has moved to another section of the hospital. May you access his record in order to follow his progress
-No (because they are now out of your care. You may go visit or inquire about patient but you cannot look at his records)
The privacy rule allows providers to disclose pt info only to
-Provide care -Arrange for payment from insurer -Allow pt to find out info disclosed -Allow pt to inspect & obtain a copy of the medical records
Transactions Can Occur Between...
-Provider to Health Plan directly -Through Provider Clearinghouse -Through Health Plan Clearinghouse -Between Clearinghouses -With a single Clearinghouse
What is Protected Health Information
-any info about past or present health status, provision of health care, or payment for health care that can be linked to a specific individual *Info that is pertinent
HIPAA Security Standards
-assigned security responsibility -controls over physical media -policy over workstation use -physical access controls -secure workstation location -security awareness training -passwords/authentication -disaster recovery procedures -network protection -audit trails
Name some examples of physical safeguards
-control access to records (limited access files) -policies for workstation use
HIPSA
...
What are two ways to de-identify information
1) A formal determination by a qualified statistician 2) Removing specified identifiers of the individual and of the individual's relatives, household members, and employers.
What year was HIPAA privacy standards established to protect personal health information?
2003
When did the privacy rule take effect
2003
When was the Security Rule issued
2003
privacy confidential use of PHI (for treatment, billing, etc) access (and amend their health) information provide specific authorization (for use of health info) name withheld (from patient directories) information (concerning their care) not be released (to specific people) (specific) people not told of presence (in a facility)
7 HIPAA patient rights
Minimum civil penalty for HIPAA violation due to reasonable cause and not due to willful neglect (REASONABLE CAUSE)
$1,000 per violation, with an annual maximum of $100,000 for repeat violations
Minimum civil penalty for HIPAA violation due to willful neglect but violation is corrected within the required time period (WILLFUL NEGLECT with correction)
$10,000 per violation, with an annual maximum of $250,000 for repeat violations
Minimum civil penalty for HIPAA violation in which individuals did not know they were violating HIPAA (IGNORANCE)
$100 per violation, with an annual maximum of $25,000 for repeat violations
Anyone caught selling private heatlh care information can be fined up to:
$250,000 and 10 years
Penalties for selling, transferring, or using for profit or malicious harm
$250,000 and or up or 10 years in prison
inappropriate discloser
$50 fine and/or year in prison
Penalties for knowing misuse
$50,000 and/or up to 1 year in prison
Maximum civil penalty for all types of HIPAA violations
$50,000 per violation, with an annual maximum of $1.5 million
Minimum civil penalty for HIPAA violation due to willful neglect and is not corrected (WILLFUL NEGLECT without correction)
$50,000 per violation, with an annual maximum of $1.5 million
Maximum criminal penalty for violations involving false pretenses
A $100,000 fine, with up to five years in prison
Health Care Common Procedure Code Systems (HCPCS)
A classification system for medical procedures, services, and supplies. It was set up to give providers a coding system that describes specific products, supplies, and services patients receive that are not in CPT.
Which of the following are health care providers
B: chiropractors, ophthalmologist and hospital
Business Assocate
BA. Any person or organization that's not part of a CE's workforce, who works for aCE and is exposed to PHI. Examples would be medical labs and transcriptionists. Special contracts must be signed with CE's that hold them to similar legal standards as CE's under HIPAA
One good rule to prevent unauthorized access to computer data is:
Black the screen or turn off the computer when you leave it
HIPAA Privacy rule CE bill___
C-CE safeguard of patient record
Department of Justice
Government agency that investigates the most serious violations of the Privacy Rule
Medical coverage offered b an employer to an employee is a
Group Health Plan
What security standards describe how electronic PHI must be safeguarded?
HIPAA
What guidelines has HIPAA established further for Mobile and Media devices?
HIPAA Security Guidance for Remote use of and Access to Electronic Protected Health Information
3
HIPAA governs how many types of covered entitities.
Confidentiality issues
All patient information must be kept confidential and shared only with the appropriate staff involved in the care of the patient.
business associates
HIPPA also applies to ____ ____ -- a person or entity that uses/performs an activity that involves the use of PHI while providing services to a covered entity
Business Associate
An individual or organization that provided business services to a CE and agrees to protect their patient health information
Protected Health Information PHI
Any piece of information that identifies or could be used to identify a specific individual
HIPAA Compliance required
April 2003
Malpractice claims
Are lawsuits by a patient against a physician for errors in diagnosis or treatment.
Negligence cases
Are those in which a person believes medical professional's actions, or lack thereof, caused harm to the patient.
Unique Identifiers Rule
As of 2007, health care providers must have a national provider identifier (NPI) whenever submitting information *everyone filing for Medicare MUST have an NPI number
You are a hospital employee who is looking for your friend that is a patient, how should you find out what room she is in?
Ask at the nurse's station or information desk what her room number is
To confirm appts or leave a message on VM or text you should
Ask in advance it you are allowed to do so
What year was HIPAA invented?
August 21, 1996
tech issue of HIPAA addresses___
B-access to ePHI
Omnibus Final Rule
Harm threshold replaced with burden of proving "low probability that PHI has been compromised".
What does HITECH Act stand for?
Health Information Technology for Economic and Clinical Health Act
HIPAA
Health Insurance Portability and Accountability Act
What does HIPAA stand for?
Health Insurance Portability and Accountability Act of 1996
What is HIPAA
Health Insurance Portability and Accountability Act of 1996
What is the "Need to Know Principle?"
Is the info necessary for your job function? How much info do you need? How much do other people need to know?
What must the Notice of Privacy Practices must be placed where?
It must be posted in a clearly visible and prominent location on-site, on the CE website, made available on request.
An example of indirect provider is___
Laboratory
Who is responsible for enforcing the privacy regulations
U.S Department of. Health and Human Services
Confidentiality: The right to privacy as defined by the __________ and the __________.
U.S. Constitution American Red Cross Association
OSHA is apart of what division?
U.S. Department of Labor
happens when the HCW discloses pt. information to someone outside the HC team w/o authorization
Unauthorized Disclosure
Place of Service (POS)
Under HIPAA administrative code that indicates where medical services were provide.
National Provider Identifier (NPI)
Under HIPAA, a system for uniquely identifying all providers of health care services, supplies, and equipment.
I do not want my doctor calling me at home. What do I do?
Under the Privacy Rule, patients can request that their doctor's health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential. For example, a patient could ask a doctor to call his or her office rather than home, and the doctor's office should comply with that request if it can be reasonably accommodated.
What is the "Minimum Necessary" rule?
Utilization/release of info to the min. necessary to accomplish the intended purpose of the use, disclosure, or request
smt ppl make weird request
We don't necessary need to honor it.
Can you put a patient's name on hospital doors?
Yes-code team needs to be able to find the patient quickly
Subpoenas
_____ for court appearances and testimony can authorize disclosure of PHI.
computer storage media
_______ containing patient records should be completely wiped.
children
_______'s access to their own records is governed by state law
File rooms to be
Locked
Breach examples
Loss or theft of computer Mailing PHI to the wrong pt Leaving files and or computer available for others to see Leaving a voicemail with PHI for others to heat Sharing info with unauthorized person
What is the original goal of HIPAA?
Make it easier for pts to move from one health insurance plan to another
What is the minimum necessary rule
Makes reasonable efforts to limit the protected health info to the minimum necessary to accomplish the purposes of a use, disclosure, or request
Organized Health Care Arrangements
May or may not contract as one entity, chose to share PHI; each is separately liable
What records contain information about a patient's health over time?
Medical
Group Health Plan (GHP)
Medical insurance offered to employees and played for in part or in full by an employer.
PHI protects
Medical or dental condition Tx or diagnosis Payment for healthcare Any other ID info in record
In 1998, Department of Health and Human Services (HHS) directed to bring health programs in compliance with the Patients' Bill of Rights. What are those two programs?
Medicare and Medicaid
Minimum Necessary Rule
Must only disclose the bare minimum PHI necessary to do a particular job or task. However, for treatment we do not have to limit PHI to the minimum because as much info as possible is needed to treat the patient.
Never call patients on my cell phone
NEVER email/text the patients about their info
Are there different rules for private sector and public sector covered entities?
NO - The provisions of the Privacy Rule generally apply equally to private and public sector covered entities. For example, private hospitals and government run hospitals covered by the Privacy Rule have to comply with the full range of requirements.
Is the hospital prevented from sharing information with the patient's family without the patient's express consent?
NO -Under "the Privacy Rule, a health care provider may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual," the medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care.
What does OSHA stand for?
Occupational Safety and Health Administration
Breach occurs when
Occurs when PHI is acquired accessed used or disclosed in a way that HIPAA doesn't permit
Tier A of HIPAA
Offender did not know
Who enforces civil violations of HIPAA privacy standards?
Office for Civil Rights (OCR)
OCR
Office of Civil Rights
Who prosecutes fraud and abuse in the healthcare industry while overseeing Medicare and Medicaid?
Office of Inspector General (OIG)
Never leave computer files
Open
Electronic Medical Records (EMR)
Or Electronic Health Record (EHR or EMR) Collection of health information that is immediately electronically accessible by authorized companies.
Access to info have to honor TPO: Treatment Payment and Operation
Otherwise, we will be liable for our actions
Individually identifiable health information
PHI
protected health information
PHI
need to know principle
PHI could be shared with as few individual as needed to ensure patient care
Do NOT ever tell pts about their PHI on phone/text/mail or any types of social media
PHI example: leave a voicemail for Mr. Smith about his Heart surgery appointment => No! just appointment
ePHI
PHI that is stored or transmitted in electronic form.
protected medical information
PMI
If you are sending information via e-mail, security is best maintained with:
PW protection, encryption if it goes over internet, destroying printouts or placing in charts
Make sure you ask who else can hear what I am saying
Page patients only if you have their permission Don't announce names or specific info Use low voices Find a private place to discuss private info
Under HIPAA what must health care providers ensure is always maintained?
Patient Confidentiality
__________ Protects identifiable information being used to analyze patient safety events and improve patient safety
Patient Safety Rule
the _____________ Act ensures the patient has a voice in their end of life decisions
Patient Self Detirmination
Can patients access their medical records?
Patients generally should be able to see and obtain copies of their medical records AND request corrections if they identify errors and mistakes. The covered entities may charge patients for the cost of copying and sending the records.
30
Patients have a right to view and copy their PHI withing __ days of requesting it, either free or for a reasonable fee as per HIPAA regulations.
PHI
Patients have the right to be told how their _________ can be used.
Notice of Privacy Practices
Patients must sign an additional document stating that they have read and reviewed the providers _________.
Most important point about privacy rule
Patients want to know that info is not being shared
Health Care Provider
Person/organization who provides, bills for, and is paid for health care services Only covered if they transmit info electronically according to HIPAA rules
Who have increased controls over the way they manage and store patient information?
Pharmacies
HIPAA applies to
Photographs Radiographs Paper Spoken info Electronic (emails/fax)
Zero Tolerance
Polices which are being adapted in healthcare organization in regard to workforce members who violate the organization privacy policies.
who in health care organize and is responsible for location of HIPAA____
Privacy Officer
Administrative Requirements
Privacy Officer, prominent Notice of Privacy Practices, a policy/procedure for use/disclosure of PHI.
What is a major goal of the Privacy Rule
Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being
What are Pharmacy Technicians and pharmacists responsible for maintaining in order to protect PHI of patients?
Privacy Standards
What four main areas in the health industry was changed because of HIPAA?
Privacy of health information, Standards of electronic transactions of health information and claims, Security of electronic health information, National identifiers for the parties health care transactions.
security standard are enforce by the ___
CMS
Title I
COBRA is under this part of HIPAA
How did HIPAA get started
Came about after complaints to Congress "regarding sale of patients info" by the healthcare providers to companies that were using the patients info for marketing of supplies and services to private practices
What does CDC stand for?
Centers for Disease Control and Prevention
Penalty: Civil ($$$) or Criminal
Civil = 1 year cap and fined up to 1.5mil
Expressed contract
Clearly stated in written or spoken words.
Electronic Medical Records (EMR) Or Electronic Health Record (EHR or EMR)
Collection of health information that is immediately electronically accessible by authorized companies.
What did the OIG create?
Compliance Program Guidelines
What allows employees who are leaving a job to elect to continue their previous employer's health coverage for a limited time?
Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA)
Hybrid Entities
Covered entity that does both covered and non-covered functions (privacy rule restricted to certain parts of the entity)
"Right to a choice of health care providers," "Must be sufficient to assure access to appropriate high-quality health care," & "Includes the ability to see specialists if your medical care requires it" ARE ALL CONSIDERED TO BE WHICH PATIENT RIGHT?
RIGHT TO CHOOSE
What should every patient receive and sign?
Receive a Notice and be asked to sign an Authorization
The patients has the right to
Receive a copy of their personal health records Change incorrect or incomplete info Ask to be contacted regarding health info. via telephone, mail, and/or fax File a complaint
Uses and Disclosures
Referring to the use and disclosure of a patient's personal health information.
PHI
Refers to any patient information in any form that is created or received by a covered entity, relates to a patient's health condition in the past, present, or future, and identifies the patient.
PHI is disclosed when it is divulged in any way or when someone
Releases it Transfers it Provides it to someone Accesses it outside the dental practice
What are the actions that attribute to disclosure?
Releasing, Transferring, Providing Access, Divulging
What is owned by the patient or person who has a stake in the outcome?
Electronic Health Records (EHR)
List 4 breaches of confidentiality.
Rumors Talking in public areas Unauthorized Disclosure Computerized Information
A pt's confidential info includes:
SS number address age all related health information including allergies
What specifies how patient information is protected on computer networks, the Internet, the extranet, and disks and other storage media?
Security Rule
What is transforming information via an algorithm to make it unreadable to anyone who does not possess the decryption information required to read it?
Encryption
Notice of Privacy Practices (NPP)
A document stating the privacy policies and procedures of a covered entity. (CE)
Notice of Proposed Rule-Making (NPRM)
A document that describes and explains rules that federal Government proposes to adopt at some future date. Interested parties are invited to subscribe comments, which may then be used in developing a final regulation.
Deficit Reduction Act (DRA) of 2005
A federal law designed to reduce fraudulent claims. It encourages states to pass their own false claims acts.
Designated Record Set (DRS)
A group of medical records. For providers, it includes medical and billing records but not other items, such as lab tests. For a health plan, the designated record set includes enrollment, payment, claim decisions, and medical management systems of the plan.
Covered Entity (CE)
A health plan, a healthcare clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.
Administrative Law Judge ( ALJ)
A judge who presides over complaint hearing in HHS and makes determinations of penalties.
Administrative Law Judge ALJ)
A judge who presides over complaint hearing in HHS and makes determinations of penalties.
When patient records are to be discarded, they should be destroyed by whom?
A licensed, bonded company
Claim Adjustment Reason Codes (RC)
A national administrative code set that identifies the reasons for any differences, or adjustments, between the original provider charge for a claim or service and the payer's payment for it.
Content Standard
Specifies both the data elements that may be transmitted as part of a transaction and how these elements should be coded
Format Standard
Specifies the way elements must be formatted when they are transmitted
Authorization
Statement needed to release PHI for reasons other than treatment, payment of healthcare operation
What are Treatment, payment, and healthcare operations referred to as?
TPHCO
Administrative Safeguards
Technical safeguard,s organization safeguards, policies and procedures, documentation, requirements and physical safeguards to protect the privacy of PHI
Designated record set
a group of medical records that includes a provider's medical and billing records
Authenication
a person or system is who they purpose to be. (ID)
privacy official
a person responsible for all activities related to the development, implementation, and modification of activities involving the privacy of and access to PHI as required by federal, state, local, and organizational regulations and policies. The privacy official assists staff when requests are made for information and receives complaints.
Qualified protected order
an order of the court that prohibits parties from using protected health information for any purpose other than litigation or proceeding for which the PHI has been requested.
Treatment. Payment
and health care operations (TPO), Under HIPAA, the rule that patient's protected health information may be shared without authorization for the purposes of treatment, payment, and operations.
PHI
any data that identifies: name, MR#, SSN, diagnosis, lab result, past/present photos, relatives' names, employer DOB
Who is a covered entity
any health care provider (regardless of size) who electronically transmits health information in connection with transactions
PHI
any piece of information that identifies or could be used to identify any specific individual
patient may revoke authorization at___
anytime
Privacy Rule
applies to all healthcare providers, healthcare clearinghouses and healthcare plans
What are security rules?
apply to PHI that is sent electronically; these rules govern PHI that is being transmitted, used, or stored in electronic format
manage, store
as a result of the privacy rule of 2003, pharmacies have direct control over the way they ______ and ______ patients information.
tiered system
look to ____ ____ (consequences) for those that violate HIPPA -- 4 tiers
Confidentiality applies to both to ________ and _________ information learned during the course of exams/hospitalization.
medical personal
victim (domestic violence, abuse, neglect by parent/guardian) emancipated seeking treatment (family planning, psychiatric counseling, substance abuse)
minor given permission first and cannot disclose PHI to parent/guardian if
Fax machines
not considered electronic communications, fall under written rules
NOPP
notice of privacy practices
NPI mandate for use__
now
What do patients have the right to do?
register complaints with federal agencies and with the facility if they feel their rights have been violated
Consent
required under some states' laws but not by HIPAA, authorizes the CE to disclose the individual's PHI to carry out TPO. You should check with your privacy official to determine whether the state you are working in requires consent
HITECH law: *TQ- will be on the FINAL
smth about Mean for you
physical security/workstation
disaster control, physical access control and device and media control
What is DNR?
do not resuscitate
Encounter
form of documentation that is undertaken for every visit is also known as an ______, visits to healthcare providers are documented thoroughly.
office of civil rights
government agency that accepts and investigates complaints related to the Privacy Rule, it enforces civil violations of HIPAA privacy standards,
PHI
health information that relates to a past, present, or future physical or mental health condition.
3 covered entities
health insurance plans, health care providers and clearinghouses
talk to instructor
if ever in doubt about what info may be given out
Medical should be retained for ____
indefinitely
Required Disclosures
individuals or their personal reps. HHS for purposes of a compliance investigation, review or enforcement action.
Disclosure
the release, transfer, or sharing of health information with another individual or entity outside the healthcare organization holding this information
What is res ipsa loquitur?
the thing speaks for itself
Title I
this part of HIPAA focuses on continuation of health insurance coverage and insurance reform
What did HIPAA call DHH for?
to: • Standardize electronic patient health, administrative and financial data • Insure unique health identifiers for individuals, employers, health plans and health care providers • Insure security, confidentiality, integrity of PHI
Authorized use of info
treatment billing healthcare operations
Discussion of patient records should occur in private only, NOT in elevators, hallways, waiting areas, parking lots...
true
privacy rule
under this rule, information belongs to the patients, and they have the right to control who is able to view it. it applies to healthcare providers, health insurance plans, and clearing houses.
HIPAA Penalties
-$100 per violation, $25,000 cap -Criminal penalties (1-10 years based on intent)
Under HIPPA a health care plan can look back for pre-existing conditions up to____
6 month
Authorization
Allows use of PHI for any purposes other than TPO
HITECH act
American recovery and reinvestment act of 2009 signed into law enhanced and expanded HIPPA privacy and security rules penalties for violating one's privacy
When did HIPAA become effective
April 2003
What are the goals of ePHI?
Availability, Confidentiality, and Integrity of the information
What is the privacy rule of HIPAA?
-federal standard for PHI protection -preserve quality health care -assure security, privacy and confidentiality
COBRA requires ____
C
Privacy officer must be ___
C
What does the notice give patients?
-info about their rights -a description of how their PHI may be used by the facility -a comprehensive list of others to whom their health information may be disclosed
When referring to PHI, what must you avoid
-names, geographic identifiers, dates related to individual, phone #s, email addresses, social security numbers, medical record #s, etc
What are privacy rule required activities?
-notification -implementation -training -privacy official -security
Penalties for misuse under false pretenses
$100,000 and or up to 5 years in prison
Leaving voicemails
* Do not mention diagnosis or planned treatment! * Do not mention specifics "the Root Canal clinic" * It is OK to confirm an appointment date and time
Ex 2: a nice, sweet lady ask in a very soft voice and ask for Bob's prob
*IMP* Tell her: sure, let's wait until Bob is finish w/ his Tx and have him list you on the Friends and Family info release section. I will be here all day and explain to you everything you want to know
Medicare and Medicaid wil require plans to provide critical information and allow patients to compare information about health care -- this is called __________?
Information disclosure
Notice of privacy practices
Informed patients on their rights of privacy.
Negligence
Is used to describe actions of a practitioners fail to excercise ordinary care resulting in patient injury.
Patient consent
It is the written permission from individuals to use and disclose their PHI for purposes of providing treatment, obtaining payment, and conducting healthcare operations.
ICD-9-CM International Classification of Diseases
Ninth Revision, Clinical Modification., Mandatory code set used by the United States. It provides rules for selecting and sequencing diagnosis codes in both the inpatient and the outpatient environments.
What do providers use to explain to patients how their PHI may be used and disclosed?
Notice of Privacy Practices (NOPP)
PHI
Personal Health Information
Operations
Providers are allowed to share information in order to conduct normal business activities.
Tier B of HIPAA
Reasonable cause and not willful neglect
Release of Information (ROI)
Release of information (ROI) of a patient's information.
Right to review and copy your own medical records & Right to request amendments to your own medical records are CONSIDERED TO BE WHICH PATIENT RIGHT?
Right to Privacy
Transaction Standards
Standards that support the uniform format and sequence of data during transmission from one healthcare entity to another
If state laws are more strict, which law applies
State
What is children's access to their own records governed by?
State Law
What regulates many types of health insurance?
State Law
What is the history of HIPAA?
The US federal government passed a law in 1996 that created national standard to protect patient medical records and other personal health information
Under HIPAA
The individual has the right to inspect a copy of his or her health record
Retaliation
The privacy rule prohibits acts of revenge know as _________, against any person filing a complaint about a privacy violation.
Patients have the right to receive accurate, easily understood information to assist them in making informed decisions about their health plans, facilities and professionals is which Basic Patient Right?
The right to information
Title II
The rules in this part of HIPAA cover administrative, financial, and case management policies and procedures. It contains strict requirements for the uniform transfer rules of patient confidentiality.
**About de-identified PHI
There are no restrictions on the use or disclosure of de-identified health information.
State laws
These types of law regulatesmany types of health insurance
What are the two main sections of the law?
Title 1: Health Care Portability Title 2: Privacy Rule
What are the primary goals of HIPAA?
To improve the portability and continuity of healthcare coverage
What is a transaction
Transactions = claims, benefit eligibility inquiries, referral authorizations, etc.
Health Care Clearinghouse
Translates data content or format for another entity from non-standard transaction formats to standard format
TPO
Treatment Payment Operations
There must now be a system in place to record the name of every person that views a patients records
True
True/False The difference in length of time allow in compliance for small health plan and large health plan
True
True/False There are no restrictions of de-identified health information
True
who regulates HIPAA___
U.S. government
Treatment. Payment, and health care operations (TPO)
Under HIPAA, the rule that patient's protected health information may be shared without authorization for the purposes of treatment, payment, and operations.
Criminal penalties
When an individual violates HIPAA for knowing or wrongful misuse of individuals health info
In general, information about a patient can be shared:
When it is directly related to treatment
Validated
When protected health information PHI is being used or disclosed for reasons other than treatment, payment, or healthcare operations, the authorization for the release of the PHI must be....
When can you disclose relevant info? (3)
When the patient agrees, gives patient opportunity to object and they do not, when the physician decides based on professional judgement that the patient doesn't object.
judicial
_____ orders can override a patients preferences regarding the release of PHI.
HIPAA is ________ driven
Complain driven
How must computer storage media be discarded?
Completely Wiped
Authorization
Consent given after patient education given
Passwords
Do not reveal your password to anyone and don't post it near computer
Examples of privacy safeguards
Door locks Cabinet locks Procedures for handling charts and computer screens Alarm systems Policies about who is permitted to access PHI
"Minimum necessary"
a concept of the Privacy Rule under which CEs are required to implement reasonable policies and procedures for workforce member to limit their use and disclosure of PHI to the minimum necessary to accomplish the intended purpose.
Security:
ability to control access to and protect info
What are HIPAA requirements for security
administrative physical technical
EDI
Electronic Data Interchange
What are often confused with EMRs?
Electronic Health Records (EHR)
What is owned by the delivery organization?
Electronic Medical Records (EMR)
What may also be shared between authorized healthcare professionals more easily than paper records?
Electronic Medical Records (EMR)
What record system is not really interactive with the patient?
Electronic Medical Records (EMR)
What do HIPAA security standards focus on?
Electronic PHI (Protected Health Information)
The set of rules that provide admin. simplification by standardizing the codes and formats used for the exchange of data is referred to as:
Electronic Transaction Record
Required to train health care workers
Employer
ERISA
Employer offered health plans are regulated by this Act of 1974
Rule 1: Don't ask for more info than you need
Ex:
Info sys activity review:
Extremely Imp especially in case of Audit
HIPAA mandates the creation of unique identifier code for every patient
False
The general privacy rule now states that every effort must be made to notify patients of the institutions privacy policy and to obtain written acknowledgement of this
False
The issue of portability deals with protecting coverage for employees who change jobs.
False
Who regulates HIPAA
Federal and state regulated
The right to privacy gives birth to what organization?
Health Insurance Portability and Accountability Act
What does HIPAA stand for?
Health Insurance Portability and Accountability Act
What is Title I of HIPAA called?
Health Insurance Reform
HIPAA_defined code sets that serve as standards for all electronic data interchange include:
ICDM-10, CPT, ANSI X12N Not ID ANSI
information technology
IT department
Why is it important to only talk about patient information in private areas?
If someone that isn't taking care of the patient hears it, it would be a HIPAA violation.
EDI
electronic data interchange
What is respondeat superior?
healthcare facility responsible for employees during the course of employment
another term for HIPAA
public law 104-191
which of the following is the violation of the sarbanes-oxley act____
punishing a whistle blower
self referrals
referring patients to an entity in which the referrer receives some monetary compensation
Information "disclosure"
release outside of organization.
emailing PHI
secure encrypted, remove PHI from response, do nor forward from secure to non secure account, remind pts note to send PHI by email, cut and paste in word doc, cut and paste in word doc. password protect file, call recipient with password, send in a separate email
minimum standards
set forth ____ ____ of basic privacy protection
disclosure
sharing information outside the entity
4 ways the law has changed the way business is conducted in the health care industry
standards for privacy, standards for electronic transactions, standards for security and standards for unique national identifiers
You can reveal medical information needed for research if
the patient authorizes it
electronic health records
the records rely on EMRs to be in place
Administrative code sets
these are non-medical code sets. used for administrative information and include simple and complex codes
Risk Analysis
what risks we have
What are the components of HIPAA
-Title 1: Access, Portability and Renewability *Intended to protect workers and their families when they change jobs & limits restrictions that group health can place on preexisting condition -Title II: Administrative Simplification *Penalties for privacy violations & control against fraud and abuse (arising from electronic sharing of personal information)
Confidentiality Issues
All patient information must be kept confidential and shared only with the appropriate staff involved in the care of the patient.
True/False An NPI will change every year
False
Always use info from medical records only
For the TX of pt
privacy rule
Guideline under HIPAA that sets national standards for the protection of health information
Malpractice
Is the negligent delivery of professional services.
What are pharmacy technicians not authorized to make decisions about for the patient?
Medication Decisions
Who has the right to view and copy their PHI within 30 days of requesting it, with free or for a reasonable fee as per HIPAA regulations?
Patients
False
True/False. medical records cannot be considered legal documents so accuracy is not very vital when documenting that appropriate medical care has been given to each patient.
One exception to confidentiality is
a minor that is pregnant
security rule
ability to control access to protect PHI
Health Information
any information, whether oral or recorded in any form.
Cryptography is the ___
encoding of a message
Office of civil rights
government agent that accepts and investigates complaints related to the Privacy Rule
How long can preexisting condition last?
may not last for more than 12 months (18 months for late enrollment)
OHS
office of hipaa standards
What is included in health information?
▫ Demographics, that identifies or can be used to identify a person ▫ Health condition ▫ Name ▫ Treatment ▫ Payment
If breach happens
-if this happens REPORT IMMEDIATELY IN WRITING to the designated person in the office
What is the IRB
-institutional review board: an appropriately constituted group that has been formally designated to review and monitor biomedical research involving human subjects
Consent Must Contain
-plain language -anticipated uses and disclosures -right to request restrictions -right to revoke consent -date/signature -mention of notice of privacy practice
Administrative Requirements of HIPAA
-policies/procedures -safeguards (protect PHI) -mitigation -workforce training -employee sanctions -personnel designations -complaint process -documentation for 6 years
PHI Exceptions
-public health -FDA medical device malfunction -criminal investigations -mandated reporting of abuse -suspicious deaths/injuries -health oversight; disciplinary action -worker's comp -emergency
What are the elements to prove malpractice?
1. breach of the accepted standard of care 2. causation 3. damages
Implied contract
Actions or conducts of the parties, rather than words.
final enforcement rule
HIPAA rule of 2006 that clarified that both acts and omissions may constitute violations
Electronic
HIPAA security standards focus on what kinds of PHI.
HIPAA Electronic Health Care Transactions and Code Sets (TCS)
HIPAA standards governing the electronic exchange of health information using standard formats and standard code sets
Current Dental Terminology (CDT)
HIPAA-mandated code set for procedures performed in a dental office.
health care provider id
NPO- national provider identifier
What is Title II of HIPAA called?
Administrative Simplification
Who participates in the protection of patient records?
All Healthcare Professionals
Intentional Torts
Assualt, invasion of privacy, defamination of character, battery, fraud, false imprisonment.
National security
Entities that may have access to PHI generally any time they request it.
...
Guideline under HIPAA that sets national standards for the protection of health information
Notice of privacy practices aka
HIPAA form
What is DNR/CC Arrest?
all needed tx until heart stops
security incident
attempted or successful unauthorized access, use, disclosure, modification or destruction of PHI
Title II
controls the private health information of individuals. It is known as administrative simplification.
The proliferation of computers in medicine has:
created new dangers for breaches of confidentiality
Can one doctor's office send the medical records of a patient to another doctor's office without that patient's consent?
YES - NO CONSENT IS NECESSARY for one doctor's office to transfer a patient's medical records to another doctor's office for treatment purposes.
What does durable mean?
means person remain in control until patient dies or a court removes the person
What does HIPAA provide?
national floor
Notice of privacy practices
paperwork given to client's explaining your policies & procedures
Facilities will no longer be able to post ______ anyplae where visitors might see them. This includes door tags and whiteboards at nurse's stations that are in public view:
patients full names
employer id
ein-employer identification number
What does stand for CIA?
ensure the confidentiality, integrity and availability of all ePHI
What are covered entities?
health care providers who transmit health information electronically
kickbacks
incentive given to those who defraud others
incidental disclosures
incidental release of confidential information
IIHI
individually identifiable health information
disclosure
information released to an outside entity whether by email, fax, verbally, or in writing.
____________________ is when patient agrees to the proposed course of treatment after having been told about the possible consequences of having or not having the procedure or treatments.
informed consent
patients have the right to
inspect and obtain copies of their PHI produced during psychotherapy
office for civil rights
investigates complaints
True/False Title one cover administration simplification
False
True/False You should feel comfortable for sharing password even if physician gives you the password
False
True/False Patients has the right to request restrictions on use of PHI
True
True/False Rule for release of information do not cover court order by CE
True
True/False State Law requires that physicians must report of certain disease
True
which of the following is violation of the privacy rule___
c
Chart
...
CDT-4
code set used for dental services
PHI
Protected Health Information
What are the three advanced directives?
• Living Will • Durable Power of Attorney • Do Not Resuscitate Order
What is the Living Will?
A will in which the patient requests not to be kept alive by medical life-support systems in the event of a terminal illness
True/False CE may not charge for patient copy of medical records
False
Protected Health Information Includes
Name/dates/phone/email/SSN/Account numbers/medical record numbers/ vehicle information/IP address/ biometric identifiers/full face images/any other identifying information
Unintentional Torts
Negligence, malpractice.
Must all healthcare providers adhear to the Patients' Bill of rights?
No, only medicare and medicaid
PHI stands for
Protected Health Information
Confidentiality
The practice of permitting only certain authorized individuals to access info with the understanding that they will disclose it only to other authorized individuals
Assualt
To cause another person to feel threatened.
If the use of patient information does not fall under TPHCO what must be obtained before the information can be shared with anyone?
Written authorization
contingency plan
backup and recovery plan required
NDC
code set used for drug products
Firewalls and paswords helps protect
e-mails and electronic transmissions
What is Electronic Protected Health Information also referred to as?
ePHI
What records may be stored in computers and related peripheral devise, and transmitter over computer networks, over the Internet, and on removable media that interfaces with computers?
ePHI
ePHI
electronic Protected Health Information
What programs came together to create medicare and medicade?
"Patients' Bill of Rights and Responsibilities" & Department of Health and Human Services (HHS)
What are the key elements to the privacy rule?
-covered entities -transaction standards -practice, purpose, requirements -compliance and enforcement -research -clinical application
What must be protected by healthcare personnel, including pharmacy technicians, who must know which types of information they can release?
Access to Medical Records
HIPAA
Act of 1996 that deals with the patients right to preserve privacy
False Claims Act
Act that prohibits false claims and misrepresentations, and rewards "whistle-blowers" who alert the government to cases of fraud.
____________ are the expression of a patient's decisions regarding end of life issues.
Advanced Directives
HITECH Act
Breach Notification introduced to HCPs.
A law firm that does business with a health care is called an ____
Business Associate
HIPAA rules apply to____
C: workers, provider, and insurer
Who develop Universal Precautions and Standard Precautions?
CDC
The key standard of practice for interpreters related to HIPAA
CONFIDENTIALITY, through HIPAA's Privacy Rule, which regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities," and its Security Rule, which deals with electronic information
•minor is victim of domestic violence, abuse, or neglect by parent/guardian •minor is emancipated •is minor is seeking treatment for family planning, psychiatric counseling, or substance abuse
Cannot disclose to a parent/guardian if:
Health providers responsibility regarding confidentiality
Comply with protocols Provide "notice of privacy practices (NPP) document
What in general, is the patient's ethical right to privacy and is protected by law?
Confidentiality
What does HIPAA recommend the inclusion of, an instruction that anyone who receives the communication in error should immediately contact the sender and destroy the information received?
Confidentiality Notice
May a pharmacist disclose to a treating physician that a patient is a receiving a prescription drug for the treatment of substance abuse?
Depends on where the pharmacist is working NO, if pharmacist works for a federally funded substance abuse treatment facility YES, If the pharmacist does not work for a federally funded substance abuse treatment facility
Fraud
Depriving or attempting to deprive a person of his or her rights.
What must be handled with great care?
Discarded Patient Information (DPI)
What must never be thrown in to the trash, because documented cases exist of individuals who have stolen both paper records and computer disks containing hundreds or thousands of patient records?
Discarded Patient Information (DPI)
licensed, bonded company
Discarded patient information must be handled with care. When patient records are to be discarded, they should be destroyed by a ________. it should never be thrown into the trash.
What is the release of PHI to any outside entity referred to?
Disclosure
What may be made by e-mail, fax, verbally, or in writing?
Disclosure
What occurs when the entity holding the information performs any of the following actions causing the information to move outside the entity: Releasing, Transferring, Providing Access, Divulging (in any manner)
Disclosure
Exceptions to the Minimum Necessary Use
Disclosure is requsted by the patient or a personal representative, Investigation of a complaint by the Department of Health and Human Services, Any suspected case of domestic violence.
Examples of Universal Precations
Disposable gloves, masks, goggles, face shield, gowns.
_____________ A type of advance directive in which the patient chooses a person to make medical decisions for them if they become unable to do so
Durable Power of Attorney
True or False: A HCW can release pt info for statistical purposes without authorization.
False
True/False A cross walk is not created to match UPIN to NPI
False
True/False COBRA guarantees health coverage for at least 3 yrs unemployment
False
True/False Electronic Data Interchange is between people and and computer
False
True/False HIPAA preemptions to state laws
False
True/False HIPAA privacy rule debt collection agency
False
True/False Health care provider must obtain..notify patient disease
False
True/False If more than one doctor is treating the patient, physician need to assign authorization
False
True/False Malware is a type of secure software
False
True/False Office sign in sheet are banned by HIPAA
False
True/False PHI stands for private health information
False
True/False Parent must always be notified if minor is pregnant
False
True/False There is a natural identifier set up for patient
False
True or False: A HCW exposed to a contagious disease has the right to know of the pt's health status
False; he/she DOES NOT have that right
Office of the Inspector General (OIG)
Federal agency that investigates and prosecutes fraud against government health care programs such as Medicare.
department of health and human services
who enforces HIPAA standards and regulations, which also enforces situations of related abuse and fraud.
trained employees
who may protect patients records and must also understand the legal regulations about who may have access to them?
What is fraud?
willful and intentional misrepresentation of facts that may cause harm to an individuals or result in loss of an individual right or property
What is assault?
willful attempt or threat to inflict injury
Dental records are legal records?
yes
Civil Money Penalties (CMP)
Financial penalties imposed by the OIG for a wide variety of conduct.
Maximum criminal penalty for violations involving intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm
Fines of $250,000, and imprisonment for up to ten years
__________ is a notice of privacy practices available to individuals
Formal document
___________ is an entity that processes or facilitates the processing of information received from another entity.
Health Care Clearinghouses
Who enforces HIPAA regulations and government standards, and is conducted by the Office of Inspector General and the Department of Justice?
Health Care Fraud and Abuse Control Program
What is HITECH Act
Health Information Technology for Economic and Clinical Health Focus is on privacy and security concerns of e-transmission of health information
Who is affected by HIPAA?
Health Insurance Plans Health Care Providers Health Care Clearinghouses
HIPAA
Health Insurance Portability & Accountability Act
HIPAA stands for
Health Insurance Portability and Accountability Act
HIPAA stands for___
Health Insurance Portability and Accountability Act
___________ are an individual or group plan that provides or pays the cost of medical care
Health Plans
Name two examples of how sharing health information publicly results in a bad way?
Health information could be used to restrict or terminate employment, and can be used to sell insurance products for finacial gain.
What may harm patients financially and ever medically if unsafe procedures are performed as a result?
Healthcare Fraud and Abuse
Who are Medical records shared with in order to provide accurate patient care?
Healthcare Professionals
Who is impacted by HIPAA?
Healthcare providers Health plans Health care clearinghouses
What does HIPAA stand for?
Hospital Insurance Portability and Accountability Act
$100-$25,000
How much money could you owe for a Tier A HIPAA violation?
$1,000-$100,000
How much money could you owe for a Tier B HIPAA violation?
$10,000-$25,000
How much money could you owe for a Tier C HIPAA violation?
$50,000-$1.5 million
How much money could you owe for a Tier D HIPAA violation?
The pt. has the right to know:
How the info is being used a summary of pt rights how to obtain a copy of his health record how to file a complaint when and where info was disclosed and with whom
Privacy
Is the individuals right to keep certain info to him/her self with the understanding that the info will only be disclosed with his or her permission
What does the code HCPCS stand for?
Items, Supplies, and non-physician Services
Is it true that the Privacy Rule mandates all sorts of new disclosures of my patient information?
NO - Disclosure is mandated in ONLY TWO SITUATIONS: 1) To the individual patient upon request 2) To the Secretary of the Department of Health and Human Services for use in oversight investigations
Does the Privacy Rule prevent members of the clergy from finding out whether members of their congregation are hospitalized?
NO - HIPAA specifically provides that hospitals may continue the practice of disclosing directory information "to members of the clergy," UNLESS the patient has objected to such disclosure.
Is the hospital prevented from sharing a patient's directory information?
NO - The Privacy Rule permits hospitals to continue the practice of providing directory information to the public unless the patient has specifically chosen to opt out.
Protected Health Information
PHI. Patients' medical/billing records protected under HIPAA. Covers past, present, or future. Can be written, printed, recorded, photographed, or oral. Must be destroyed by burning or cross-cut shredding
Healthcare Fraud and Abuse Control Program
Program that enforces HIPAA regulations and government standards, and is conducted by the OIG and DOJ.
National Council for Prescription Drug Programs
Programs that create and promote data transfer standards relating to the practice of pharmacy. Members of this program must receive education tailored to their pharmacy practice, and also receive database services.
What does PHI stand for
Protected Health Information
What does PHI stand for?
Protected Health Information
What is PHI?
Protected Health Information
What is controlled by HIPAA for covered entities use and disclosure?
Protected Health Information (PHI)
What is violated if the Patient's Name, Address, Medical Record Numbers, or Phone Numbers are disclosed?
Protected Health Information (PHI)
What may be used or disclosed by providers as long as the use or disclosure relates to treatment, payment, or the operation of the provider's business activities?
Protected Health Information (PHI)
What is PHI
Protected Health Information (PHI) PHI identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
Notice of privacy practices
Provided to patient each time policies change
Payment
Providers are allowed to share information in order to receive payment in order to provide care to patients.
Treament
Providers are allowed to share information to provide care.
In what programs are you not permitted to reveal the ID of a pt (pt usually referred to as Jane/John Doe)
Psychiatry/Chemical Dependency
Reasons to Terminate Care?
Refusal to follow physician instructions, personality conflicts, failure to pay for services rendered,repeated failure to keep appointments, patient family members complaints, disagreement regarding medication orders.
Remittance Advice Remark Codes (REM)
Remark codes maintained by CMS and used by payers to explain why payments differ from billed amounts.
"Means that if a person truly is experiencing a medical emergency they may seek emergency medical care" IS CONSIDERED TO BE WHICH PATIENT RIGHT?
Right to Access to Emergency Services
"If a patient is unable to participate fully, they may have representation" IS CONSIDERED TO BE WHICH PATIENT RIGHT?
Right to Being a Full Partner in Health Care Decisions
When a person uses the PHI he or she
Shares Employs Applies Utilizes Examines Analyzes The info w/in the dental practice
Patients Charts
Should not be left in holders on treatment doors.
Dispose of PHI
Shredding
Requirements to disclose
Some require a patients authorization but some do not Examples : 1.specialists 2. Dental plan
What is an autonomous person?
Someone who is capable of making their own decisions and pursuing their individual path.
Who has less protection concerning the disclosure of their PHI?
State and Federal prisoners
What does individually identifiable mean?
That the information used would identify a specific patient, unique to that patient.
Who enforces non-privacy standards?
The Centers for Medicare and Medicaid Services (CMS)
Title II
The portion of the HIPAA law known as administrative simplification. The rules in this section cover administrative, financial, and case management policies and procedures. It contains strict requirements for the uniform transfer rules of patient confidentiality.
What is HIPAA
The privacy of all patients protected health information
Notice of Privacy Practices
These are created by providers which detail their policies and procedures, and make it available to anyone who requests it.
Medical Code Sets
These are used to encode data elements concerning specific diagnoses and clinical procedures. There are six code sets used for clinical information.
Privacy Standards
These standards require that privacy policies be appropriate to the services provided, and a specific person within the organization oversees them. Pharmacy techs and Pharmacists are responsible for maintaining them in order to protect PHI of patients.
State and Federal Prisoners
This group of people has less protection concerning the disclosure or their PHI, though state statutes may overrule HIPAA in certain circumstances
COBRA
Title I of HIPAA can also be referred to as
What restricted electronic transfer of healthcare data, gave patients more rights regarding their own personal health information, and put in place better security of this information?
Title II of HIPAA
Two main sections of the law.
Title one: health care portability Title two: preventing healthcare fraud and abuse; administrative simplification; medical liability reform.
TPO
Treatment payment operations
TPO
Treatment, Payment and Health Care Operations
What does TPO stand for?
Treatment, Payment, Operations.
Permitted Uses
Treatment, Payment, and Healthcare Ops (TPO)
Title I The portion of the HIPAA law concerned with health insurance reform.
The main purpose of Title I is to ensure continuation of health coverage when employees change jobs. It also entitles people who leave a job to continue their health insurance coverage as a private payer for a limited period of time under COBRA.
Administrative Simplification (ASCA)
The part of HIPAA that gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative codes sets should be used; to require the use of national identfication systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the standards to protect the security and privacy of ePHI. This is Title II.
Title I
The portion of the HIPAA law concerned with health insurance reform. The main purpose of Title I is to ensure continuation of health coverage when employees change jobs. It also entitles people who leave a job to continue their health insurance coverage as a private payer for a limited period of time under COBRA.
T/F: Every health care organization is expected to develop policies and procedures to guide HIPAA practices within their facility
True
T/F: Every person who provides care or assistance to patients in that facility is expected to understand and comply with HIPAA regulations. It is essential that all patient health information be kept confidential
True
The single most important key to administrative simplification is standardizing throughout the healthcare system a set of transaction standard and code sets
True
True or False: Access to the chart is only direction by the pt, not by the MD
True
True or False: Families are denied access to their relative's chart even when terminally ill
True
True or False: The patient has the right to request that the info. disclosed be limited, but the hospital is not required to agree with restrictions.
True
True/False A health plan may be offered by employer, CE and other groups.
True
True/False A remittance advice is a statement that includes how and why a claim is denied
True
True/False All CE must have NPP information available for patient and member
True
True/False Business association must follow HIPAA standard
True
True/False Electronic medical record may..thought to reduce medical error
True
True/False Encryption is the encoding of message
True
True/False Fraud is intentionally and abuse is not on purpose
True
True/False HIPAA standard apply to only to electronic transaction of CE
True
True/False Medical records are legal documents
True
True/False Patient can request amendment to medical record
True
True/False Patient medical record may be withheld between certain restrictions
True
True/False Under HIPAA all CE are require to perform risk analysis
True
True/False Under HIPAA consent of ePHI makes sure information is not change during transmission
True
True/False Using PHI for profit result in prison and 250,000 in fine
True
True
True/False. PHI may be transmitted electronically, via the internet and other methods. It includes all of a patients basic information as well as that of relatives, employers, and health insurance providers.
Reasonable
Under the Privacy Rule, workforce members are expected to take _____ steps to safe guard protected health information.
What is The Patient Self Determination Act
Under this act it ensures that the patient has a voice to share their end of life decisions. Because these wishes "cover" something that hasn't happened yet they are called advanced directives.
Standard Precautions is a combination of what?
Universal Precautions and Body Substance Isolation guidelines
Impermissable
Unnecessary use or diclosure of health information that could have been reasonably prevented
What are HIPAA Criminal Penalties?
Up to $250,000 in fines -Imprisonment up to 10 years
Moral
Values serve as the basics for etical conduct.
Ex 1: Mom comes in and ask for daughter on Med record, yelling
Well, regardless how mad she is, NO means NO.
•communicable disease •abuse or child or elder •malfunctioning medical device •court order to release information •suspicious death or crimes •credible threat to do harm to someone
What are permitted releases
Tier D of HIPAA
Will full neglect and organization did not correct
Tier C of HIPAA
Will full neglect and violation was corrected
Does HIPAA permit the disclosure of an injured worker's protected health information without his or her authorization for the purposes of adjudicating the individual's Worker's Compensation claim?
Worker's Compensation plans are excluded from the definition of a "health plan." The Privacy Rule is not intended to impede the flow of health information to those who need it to process claims or coordinate care for injured or ill workers under the Worker's Compensation system. The minimum necessary provision requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose.
What must you have from the patient to release any of the patient's information?
Written authorization
Can HIPAA violations also affect your medical license or certification?
YES
Can the police get to protected health information in my pharmacy?
YES
Can I give prescription records to investigators from the Medical and Dental Boards?
YES A Board rule provides that a pharmacist may disclose pharmacy records to investigators of occupational licensing boards whose licensees have prescribing authority during the course of an investigation.
does the patient have the right to review notes in the pharmacy computer?
YES the patient does have the right to see that information.
Are health care providers allowed to use sign-in sheets and call out the names of patients in waiting rooms?
YES - - as long as the information disclosed is appropriately limited. For example, the sign-in sheet should not include the reason for your visit, since this is private medical information and does not need to be shared with other patients. purposes. This can be done by FAX, telephone or other means. Your health care provider is required to put in place reasonable and appropriate safeguards to protect your medical information. For example, your doctor's staff needs to confirm that the fax number they are using is correct.
Does HIPAA permit (not require) covered entitites to continue certain existing disclosures of health information for specific public responsibilities?
YES - These permitted disclosures include: * emergency circumstances; * identification of the body of a deceased person, or the cause of death; * public health needs; * research that involves limited data or has been independently approved by the Institutional Review Board; * oversight of the health care system; * judicial and administrative proceedings; * limited law enforcement activities; and * activities related to national defense and security. NOTE: The Privacy Rule generally establishes new safeguards and limits on these disclosures. Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgement to decide whether to make such disclosures based on their own policies and ethical principles.
What does the Security Rule entail
defines administrative, physical and technical safeguards *i.e. if you are going to fax something, you must ALWAYS have a cover sheet
pre-existing exclusions for pregnancy___
does not apply
What is negligence?
doing something a reasonable person would not do
Electronic PHI
ePHI. Any PHI that is in electronic form (computers, copiers, faxes, and PDA
What is durable power of attorney?
effective when person incompetent to make decisions -usually determined by a living will -two separate individuals: medical and financial
warned reprimanded suspended removed
employees may be ____, ____, ____, or ____ from their position for viewing non-job related record or disclosing information
Workforce memebers
employees volunteers students and trainess of an healthcare organization
what are the 4 categories of identifiers
employer, provider, health plan and patient
privacy officer
every facility has a ____ ____ who oversees HIPAA implementation
physical safeguards
facility access control, workstation use, workstation security device and media controls
nursing code of ethics BU BSN handbook KY board of nursing standards of practice
failure to comply with HIPAA also violates 3 things
Who regulates employer-offered health plans?
federal Employee Retirement Income and Security Act of 1974 (ERISA)
Risk Mana
fig o/ a way to address them
intent to sell
fine of $250000 and/or prison 10 years
security audit, important because...
gate keeper for front end compliance, minimum necessary standard and need to know basis, hold users accountable, protect PHI, monitor systems and policy effectiveness
Ppl come in w/ Court Order
gotta call the Judges to verify for the Court order If the person bullies me and want it now, you can grab a sit or you can come back tmr
What is defamation?
holding up a person to ridicule, scorn or contempt
Under HIPAA the following are required to send electronic claims____
hospitals
What do privacy rules do?
identify what information is protected and define how and when PHI may be used or disclosed
1996
in ____ the US federal government passed a law (HIPAA) that created national standards to protect patient medical records and other personal health information
Covered Entity
includes health plans, healthcare clearinghouses, and healthcare providers who transmit health information
basic concepts security rule
info security risk assessment, risk analysis, risk management, separation of duties, least privilege, threats, vulnerabilities, cost effective security controls and safeguards
Integritiy
information content not alterable except under authorized circumatnces
Protected Health Information (PHI)
information generated int the course of providing healthcare that can be uniquely linked to them.
Disclosure
information must only be provided to the patient or person authorized by him or her; pharmacy personnel must understand how to properly interact with all family members, friends, and caretakers of the patient.
Authorization
is required before PHI can be used for any purpose other than TPO. The authorization form has required statements and core elements: A description of the information to be used or disclosed The names of the persons making the request A description of the purpose of the request An expiration date for the authorization The signature of the individual and the date
Title II The portion of the HIPAA law
known as administrative simplification. The rules in this section cover administrative, financial, and case management policies and procedures. It contains strict requirements for the uniform transfer rules of patient confidentiality.
computer security
lock up, firewall, anti virus, software updates, no unnecessary access, no unclear text or passwords, no proxy, encrypt, password protect, auto logoff, backup
controls
management controls focus on management of risk, operation control implemented, executed by workforce, technical controls, focus on controls executed by information system
chronological
medical record documents of the medical history of a patient are in ______ order
what are examples of entity departments HIPAA officers oversee?
medical staff, IT dept, legal advisory, risk mgmt, satellite clinics, ancillary depts(misc)
IT department
monitors your active unacceptable access will be flagged
Universal Precations
more exposure=more protection
written documents
must be monitored for proper protection
when business associate violate an agreement to protect PHI the CE______
must take steps to end the violation
What are some common
name address SSN medical records number
What makes up parameters?
name of procedure, benefits, risks/adverse effects, length of time, alternatives, consequences of refusal
What is the Privacy Rule
national standard for electronic transfers of health data
Purpose of HIPAA
national standards for electronic health care transactions national identifiers for providers, health plans, and employers. addressed the security and privacy of health data.
Does patient consent apply to HIPAA consent?
no
Confidentiality
no unauthorized informationd disclosure
ePHI
records that may be stored in computers and related peripheral devices, and transmitted over computer networks, over the internet, and on removable media that interfaces with computers
Electronic Health Care Transactions and Code Sets
set of standards that says all providers are required by HIPAA to use the same code sets, identifiers, and transaction when healthcare information is being transmitted.
Storage of paper information
should be in a lock cabinet
What is an authorization?
signed by the patient for use and disclosure of specific PHI that are not related to treatment, payment, or health care operations
health plans provider organization hospitals ambulatory facilities nursing homes home health
six covered entities HIPAA applies to
business associates
software vendor, health insurance company, cleaning service, copier service, billing company, medical equipment service company, legal advisors
security rule
specifies how patient information is protected on computer networks, the internet, extranet, and disks and other storage media.
ePHI PHI
that is stored or transmitted in electronic form.
USE
the act of accessing any health information by a workforce member for the purpose of performing a task within a healthcare organization
What are the four primary objectives of HIPAA?
• Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions • Eliminate fraud and abuse • Enforce standards for health information • Guarantee security and privacy of health information
While HIPAA will not ban calling a patient's name in a waiting room, to increase privacy a facility might consider
using a number tag system
Notice of Privacy Practices
using this notice, providers explain to patients how their PHI may be used and disclose, their access to his or her own information, patients full rights, and how to register complaints.
Sanction Policy
we have to honor the policy otherwise bad behavior will be documented and we will get in trouble
Availability
when and whee needed
Who enforces the privacy rule?
• Department of Health and Human Services • Office of Civil Rights can conduct reviews • Individuals can file a complaint
Read over patient responsibilities
• Providing information about past illnesses, hospitalizations, medications and any other thing that would affect their health care. • To participate effectively in health care decisions. • To get clarification if they do not understand. • For ensuring that the health care institution has a copy of advance directives or living will. • Informing physicians if they anticipate problems in following a prescribed treatment. • Be aware of hospital's obligation to provide care for other patients. • Providing information for insurance claims. • Making payment arrangements.
What are the three basic principals of HIPAA?
• Respect of persons • Beneficence • Justice
What are the seven right in the patients bill of rights?
• Right to information • Right to choose • Right to access emergency health services • Right to being a full partner in health care decisions • Right to care without discrimination • Right to privacy • Right to speedy complaint resolution
What are the three goals of Patients' Bill of Rights and Responsibilities?
• Strengthen consumer confidence that the health care system is fair and responsive to consumer needs • Reaffirm the importance of a strong relationship between patients and their health care providers • Reaffirm the critical role consumers play in safeguarding their own health
HIPAA law overrides most state laws that define and regulate patient privacy
False
Resonable steps
Must be taken to ensure your information stays confidential
Indirect providers
providers that include labs that handle patient test results
Direct providers
providers that provide direct treatment to patients
How many people, on average, have access to a single pt record?
75
How can you verify identity?
-a photo ID -password chosen by patient to ensure confidentiality -information known by those close to patient and who are permitted to access PHI
What is patient protection?
-access to medical records -notice of privacy practices -limits of use of PHI -prohibition on marketing -confidential communication
What information needs to be kept private?
-all information that identifies an individual -name, address, DOB, phone/fax, SS, medical record, hospital/room #, nursing/physician notes, treatment plans, billing/insurance records
Organizations or individuals that violate HIPAA rules are subject to monetary fines (up to ______) and civil or criminal charges (up to ___ in jail)
$ 250,000 and 10 years
Civil violation
$100 per person, per violation, up to $25,000 per calender year
Centers For Medicare and Medicaid Services (CMS)
(Formaly known as HCFA) The division of health and human services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.
How does HIPAA affect State laws?
* The new federal privacy standards do not affect State laws that provide additional privacy protections for patients. * The Privacy Rule will set a national "floor" of privacy standards that protect all Americans, and any State law providing additional protections would continue to apply. * When a State law requires a certain disclosure-such as reporting an infectious disease outbreak to the public health authorities-the federal privacy regulations would not preempt the State law.
Individual Rights
- to receive a notice of the privacy practices of any health care provider health clearing house, or health plan. -to see their PHI and get a copy. - to request that changes be made to correct errors in their records or to add information that ha been omitted. - to see a list of some of the disclosures that have been made of their PHI. - to request that you give special treatment to their PHI. - to request confidential communications. - to complain.
What are HIPAA Civil Penalties?
-$100 per violation; up to $25,00 per year -More fines if multiple year violations
Purpose of HIPAA
-*Protects* individuals medical records and other personal health info -gives *patients more control* over their health info -established *safeguards*'that health care prof must achieve in order to protect the privacy of health info -hold *violators accountable* by imposing civil & criminal penalties if necessary
What Information that is exempt by law and must be reported to the proper authorities without the patient's consent. Name as many as you can.
-Births and deaths (filed with state registrar) -Injuries caused by violence (GSW) -Threats of serious bodily harm to another that may reasonably be believed. -Child abuse (physical/sexual) -Vehicular accidents involving drug/alcohol -A reportable communicable or sexually transmitted disease. (Some examples tuberculosis, hepatitis, AIDS, tetanus, gonorrhea, syphilis, chlamydia, and genital warts.)
Name some penalties that result from violations
-Civil penalties: fines -Criminal penalties: imprisonment and fines *There are BIG fines, and they are a lot larger for those who do something intentionally *There are a few examples on slides 15-19 on HIPPA ppt
HIPAA Enforcement Agencies
-Dept. of Justice -Centers for Medicare and Medicaid services -Electronic Healthcare Transaction and Code set Rule -National Employer Identifier Number Rule -Office for Civil Rights -Office of Inspector General
What are the three "Test Questions" when considering respecting others?
-Does it allow persons to freely and intelligently determine the course of the their own lives? -Does it relate to promises or commitments we have made explicitly or implicitly? -Can you apply the Golden Rule?
title II provisions
-Electronic health information transaction standards -Penalties -Privacy -Provider and health plan mandate and timetable (2 years to start) -State law preemption
True/False: according to HIPAA, you may not discuss a patient's health status and/or treatment with family members
-False (as long as you have patient's permission)
HIPAA
-Goal: improve portability and continuity of health insurance -Originated as plan to reduce health care administrative costs
Health Plan
-HMO -Group Health Plans -Medicare A/B -Medicare Advantage Plans -Medicaid
What are ways that HIPAA may be violated in the front office and medical records areas of a healthcare facility? Name as many as you can.
-Leaving paper charts where patient's/public have access -Not properly disposing of patient information, it should be shredded or in a confidential bin. -Leaving patient information a copier or fax machine. -Not using a password or having an easy password -Leaving medical CDs or DVDs where patient's/public has access
Authorization Must Contain
-PHI to be used/disclosed -persons to receive/make use of disclosure -expiration date -revocation rights -warning that it may be re-disclosed by another party
True/False: only those members of the healthcare workforce who are involved in a patient's care are allowed to review the patient's chart
-True
Requirements of a Covered Entity
-Written contract (permitted uses, disclosure, reporting of misuse of PHI) -Satisfactory assurance that they will safeguard PHI -Contract language requiring solution/termination after violations -NO: external monitoring
Can health care providers talk about patients if there is a chance of others hearing (such as at nursing station)
-Yes, if reasonable safeguards are used *Quiet conversation *Shielded records *Restricted personal access
Name some examples of administrative safeguards
-covered entities must adopt a privacy notice (patients must sign a consent form prior to receiving care) -CEs must train employees and students -CEs must appoint a privacy officer -Ces must be able to show proof of ongoing training and must be able to establish a complaint process
What does every agency must develop?
-develop policies and procedures that guide HIPAA implementation, evaluation and revision -develop a process for handling privacy related complaints
What are some exceptions to the release of PHI
-emergency situations, public health issues (when a person has been exposed to a communicable disease, law enforcement purposes, judicial and administrative proceedings, victims of abuse, organ procurement organizations, etc)
Name some examples of technical safeguards
-encryption -authentications process when communicating with others -documented risk analysis
What does every agency must ensure?
-ensure no retaliation occurs against someone who reports potential violations in good faith -ensure processes are in place to demonstrate compliance with documentation and record keeping
What are legal issues?
-good samaritan law -malpractice insurance -documentation:not documented/never happened -incident reports: for accident/injuries
What does HIPAA stand for
-health insurance portability and accountability act
The term "covered entity" refers to
-healthcare provider -insurance company
What are patient's bill of rights- medicare/medicaid?
-information disclosure -choice of providers/plans -access to emergency services -participation in treatment decisions -respect and nondiscrimination -confidentiality of health info -complaints and appeals -internal appeals -external appeals
What does PHI cover?
-information used within a facility -verbal or written information -information stored in computer files -patient information stored in paper files -data shared between providers, payers or third parties
What makes up consent?
-informed -implied -oral
What must you do before you can legally release PHI?
-must confirm the identity of the person requesting -determine if the requesting person is entitled to the information -verify what specific information this person is permitted to have
What are privacy rule purposes?
-patient -established boundaries -safeguards -penalties for violations -public disclosure
What are the key components of security rules?
-physical security: protects computer hardware, wiring, systems, areas, and buildings -technical security: determines the type of information that may be accessed by individuals -technical security mechanisms: automatically monitor computer systems and report suspicious activity -administrative procedures: outline steps taken by the facility to enforce security rules
What effects does the Unique Identifiers Rule have on research
-protection of participant info must be part of the IRB (institutional review board) approval...meaning, informed consent forms must include details on how the participants PHI will be protected *Retrospective files are more difficult *Reasons why we have IRB: Tuskegee files in Alabama; Henrietta Lax; testing drugs on prisoners
Compliance
-provider -clearinghouse -plans
What does the Privacy Rule entail
-regulates use and disclosure of information by "covered entities": health insurers, medical service -guidelines for sharing the minimum necessary information -ensures confidentiality of communication with patients
What makes up the patient's rights/responsibilities as appointed by president clinton?
-right to choose -right to information -access to emergency services -full partner in decision making -care without discrimination -right to privacy -right to speedy complain resolution -required to take responsibility for health care
What does HIPAA guarantee?
-right to privacy -right to confidential use of PHI -right to access and amend their health info -right to provide specific authorization -right to have their name withheld from patient directories -right to request that information concerning their care is not released to specific individuals -right to request that specific individuals are not told of their presence in a facility
What are the goals of patient's bill of rights?
-strengthen consumer confidence in healthcare -reaffirm strong between patient and healthcare provider -reaffirm critical role of patient's maintaining their own good health
When dealing with written or computerized info
-turn computer screens inward -post schedules on inside walls (hidden) -keep printed materials hidden -keep pt forms and charts face down on counter -when using a fax, call first to notify recipient
Is it permissible to fax information about a patient to another health care provider or insurer?
-yes (DON'T leave data in fax machine; use cover sheet)
What are some of the benefits of the Privacy Rule
-you have access to your own medical records -health care providers must state how personal medical info is used and disclosed (i.e. info can't be used for marketing without your consent) -you can find out who has accessed your records for the past 6 years -you can file a complaint if you suspect a violation -you can choose to have your name in the hospital directory *YOU MAY NOT LOOK AT A PT's RECORD if you are not treating them
Why do I have to sign an authorization?
1. An authorization is a more customized document that gives permission to use protected health information for specific purposes, which are generally other than treatment, payment, or operations. 2. An authorization is often used to disclose protected health information to a third party specified by the individual. 3. The authorization must state the purpose of each disclosure or use and the individual has the right to revoke it in writing.
HIPAA requirements
1. Dental offices are required to keep health info PRIVATE 2. Must notify patients of the privacy act 3. Must inform patients of their legal rights
HIPAA "Administrative Simplification" 4 ways
1. Electronic transactions and code sets standards requirements: use the same health care transactions, code sets, and identifiers. 2. Privacy requirements - govern disclosure of patient protected health information (PHI) while protecting patient rights. 3. Security requirements - administrative, technical, and physical safeguards required 4. National identifiers
4 Tips when working with computers/faxes
1. Encrypt any pt info sent in an email 2. double check address line of email 3. Pt info must be removed from computer before it is discarded 4. have a cover sheet on faxes containing pt. info
List the 3 consequences for breaches of confidentiality.
1. Lawsuit - monetary fine 2. Suspension/Termination 3. Loss/Revocation of License
At its core, HIPAA is designed to (5 ANSWERS)
1. Make health insurance more portable (helping workers/families to keep coverage with job changes) 2. Reduce healthcare fraud and abuse (which wastes 1/3 of every healthcare dollar 3. Improve efficiency and effectiveness (of payments and o/ transactions) 4. Protect the privacy and security of medical records 5. Build statistical data for analysis (to better understand diseases and how the spread)
6 Basic HIPAA guidelines:
1. Talk in a private location where you cannot be overheard. 2. Set up a code system for protecting info. given out via phone. 3. When authorization has not been given, firmly but politely withhold info. 4. Shield computer screens from people walking by. 5. Never share computer access codes. 6. Prior to discarding, shred printed records.
Exceptions to Confidentiality Governed by Reporting Laws
1. Threats of harm directed at 3rd party 2. Cases of child, adult, or elder abuse 3. Certain communicable diseases 4. Criminal wounds 5. Poisonings 6. Industrial accidents 7. Death of uncertain nature
What is the intent of the Privacy Rule?
1. To give individuals more control over their health information and to set boundaries on the use and release of health records. 2. To establish appropriate safeguards to protect privacy of health information and hold violators accountable through civil and criminal penalties. 3. It also strikes a common sense balance between privacy and the public good.
a provider who has fewer than ___
10
What year was the HIPAA act enacted
1996
Year in which HIPAA was introduced
1996
How many provisions of HIPAA are there?
2
financial and legal professional academic
3 other potential consequences of HIPAA violations
How long does a patient have to view or copy their requested records?
30 days
Length of time Doctor's office has to provide you with copies of your medical records
30 days
electronic written spoken heard
4 forms of PHI
elevators friends and family email printouts of PHI
4 high risk situations where tempted to disclose PHI inappropriately
How many deaths in a hospital are preventable?
44,000-98,000
photoduplicate/fax (patient documents) PHI notes in trash browse patient charts discuss information (where others may overhear) leave sensitive information visible
5 things the student CANNOT do
communicable diseases abuse (child or elder) malfunctioning medical devices court order (to release info) suspicious deaths/crimes credible threat (to do harm to someone)
6 permitted releases
keep records safe limiting access (to only those who need it) personal ID/passwords firewalls logging off screen turned (away from public) (posted information) out of sight random security (audit trails) cover sheets (when faxing)
9 ways facilities protect PHI
What is a notice for privacy practices
A document prepared by the dental office to tell patients 1. Some rights individuals that HIPAA gives them 2. How their PHI may be used and disclosed by the dental practice
What is HIPPA, (Health Insurance Portability & Accountability Act)?
A federal law imposed on all health care organizations.
False Claims Act (FCA)
A federal law that prohibits submitting a fraudulent claim or making a false statement or representation in connection with a claim.
Maximum criminal penalty for violations involving "knowingly" obtaining or disclosing individually identifiable health information
A fine of up to $50,000, as well as imprisonment up to one year
Covered Entity
A health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction
Corporate Integrity Agreement (CIA)
A negotiated agreement between the OIG and a covered entity (CE) in which the CE agrees to certain obligations in return for the OIG's agreement not to exclude the CE from participation in federal health care programs.
Business Associate
A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity itself. Business associates, such as law firms and countenance must adhere to HIPAA standards in order to do business with a covered entity.
Business Associates
A person/organization who performs services to a covered entity that includes access to or use of protected health information -Hospital and community physician treating the same patient (not janitors)
What is a healthcare Clearinghouse
A public or private entity that transforms health care transactions from one format to another
National Plan and Provider Enumeration System (NPPES)
A system set up by HHS which processes applications for NPI's, assigns them, and then stores the data and identifying numbers for both health plans and providers.
What is Durable power of Attorney?
A type of advance directive in which the patient chooses a person to make medical decisions for them if they become unable to do so
American health information management association
AHIMA
In a hospital, the obligation to maintain confidentiality applies to:
All medical and personal information
HHS Interim Final Rule
Allowed covered entities to determine a breach based on "significant risk of harm"
Consent
Allows use and disclosure of PHI for TPO only, written consent must be obtained by "in-take" providers
30
Amendments may be requested to correct any parts of their PHI and these must usually be completed within __ days
Battery
An action that causes bodily harm to another, even touching without permission.
Certification of Compliance Agreement (CCA)
An agreement between the OIG and a health care entity in which the OIG negotiates a compliance agreement for infractions that are not considered serious.
Consolidated Omnibus Budget Reconciliation Act (COBRA)
An amendment to Title 1 of HIPAA that gives employees the right to continue health coverage as a private payer for a limited period of time once they leave a job.
Remittance Advice (RA)
An electronic message that explains how a payer arrived at benefits.
Designated Standard Maintenance Organization (DSMO)
An organization that has been designated by the secretary of HHS to perform those activities necessary to support the use of a HIPAA standard. Such organizations make technical corrections to an implementation specification, expand a code set, or recommend other modifications to keep the standard current.
Covered Entity
Any doctor's office, clinic, hospital, nursing home, or other entity that is covereed under HIPAA law. aka CE's. Have to meet certain conditions to be covered. Nearly every healthcare provider in USA is CE
Covered entity
Any health care provider, health insurance plans, or clearinghouse to which the Privacy Rule applies (those who must comply with HIPAA)
What is a Health plan
Any individual or group plan that provides or pays the cost of health care
"Minimum Necessary Standard"
Any individuals access to and use of PHI must be at a minimum amount necessary to accomplish the intended purpose or to perform the functions of their job
Who is a Healthcare provider
Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which standard requirements have been adopted. Hospitals, physicians, dentists, etc
Covered Entity
Any provider, health plan, or clearinghouse to which the Privacy Rule applies.
Code Set
Any set of codes used to encode data elements - includes terms, med. concepts, diagnostic codes, medical procedure codes (ICD 10, CPT)
When did HIPAA go into effect?
April 14, 2003
The privacy and data security portions of HIPPA go into effect
April 2003
Negligence cases
Are those in which a person believes a medical professional's actions, or lack thereof, caused harm to the patient.
When you don't recognize staff members who request info then you should
Ask for their ID
Security Risk Assessment
Assets - network/hardware/data Threats - employees/theft/hacker Vulnerabilities - poor controls/passwords Losses - fines/lawsuits/reputation Safeguards - designed to assess threats/vulnerabilities
Data security issues that must be addressed by HIPAA implementation teams include:
Back up, access controls, and internal audits
Why is it risky to take pictures in a healthcare facility?
Because you may accidentally get patient or patient's information in the picture (Armband, room sign, family pictures, anything that could identify a patient.)
Portability
Being able to transfer group health insurance form one job to another
Under HIPAA risk management is___
D: plan reduce threat security
Defamation of charactor
Damaging a person's reputation by making a public statement.
DII
De Indentified Information
HIPAA privacy rule
Deals with PHI in all its form, including medical charts and records.
________ is Med advice, treatment, diagnosis received or recommended DURING the 6 month period prior to an individuals enrollment date.
Defining Preexisting Condition
What was encouraged so routine business information exchange could be exchanged between computers?
Electronic Data Interchange (EDI)
What provides interactive patient access?
Electronic Health Records (EHR)
What relies on a EMR being in place?
Electronic Health Records (EHR)
What are preferred over paper records because they can be accessed more quickly, and take less room to store?
Electronic Medical Records (EMR)
What is a legal record of a care delivery organization upon which an EHR is based?
Electronic Medical Records (EMR)
Electronic information includes
Emails Desktops Laptops Electronic dental records Cd Roms Flash drives
Make sure your practice has security rules when using
Emails Passwords Social media Laptops Cd roms Flash drives Backing up data Encryption Disposing of electronics
Who does this regulation affect
Everywhere that submits health info as a claim to a dental plan to see if a patient is enrolled in a plan -healthcare providers -dental practices -hospitals -health plans -health ins -health care clearinghouse
Rule 3: Don't share more info to ppl than what they ask you
Ex: Joe choose not to share his health info w/ his family, friends and even his wife. His wife goes to the same church w/ Dr. Foutch and asks him about Joe's prob. Dr. Foutch goes back, checks and tells his wife what happen => So wrong!!! => Can't release info w/o pt's permission
Rule 2: Don't use more than what you need
Ex: sm ppl give you the full Med record => only use what I need so I don't get liable
Notice of Privacy Practice
Explains to the patient how we use their PHI • Must be available to all patients • Patients may decline to receive it
List at least 6 individually identifiable items
Geographic divisions smaller than a state (cities, counties) Specific dates Phone number Fax number email address SSN Medical record number Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Device identifiers and serial numbers Web URLs IP address numbers Biometric identifiers (including finger, voice prints) Full face photo and other images Any other unique identifier
department of justice
Government agency that investigates the most serious violations of the Privacy Rule, prosecutes criminal violations
Privacy Rule
Guideline under HIPAA that sets national standards for the protection of health information
who assigns NPI___
HHS
health insurance portability and accountability act
HIPAA
__________ Protects the privacy of individually identifiable health information.
HIPAA Privacy Rule
What requires that covered entities implement policies and procedures that will prevent, detect, contain, and correct security violations?
HIPAA Security Rule
_____________ Sets the national standards for security of electronic protected health information.
HIPAA Security Rule
who oversees the privacy and security of the entity, training and stays up to date on current HIPAA regulations?
HIPAA officers
2003
HIPAA privacy standards were established in _____ to protect personal health information.
confidentiality notices
HIPAA recommends this notice be included instructing anyone who receives the communication in error should immediately contact the sender and destroy the information received.
What training must pharmacy technicians and pharmacists be acquainted with all policies and procedures designed to protect PHI?
HIPAA training
compliance guidelines
HIPAA- related privacy, training, and security regulations designed to focus on, correct, and maintain good healthcare practices
Current Procedural Terminology (CPT)
HIPAA-mandated procedural code set developed, owned, and maintained by the American Medical Association.
health information technology economic and clinical health
HITECH Act
HIPAA stand for
Health Insurance Portability & Accountability Act
Purpose
Improve healthcare through standardization of electronic data -Creates "floor" for Federal privacy protections
Confirm appts
In a generic way---leaving date and time only NEVER LEAVE DETAILS
What is Protected Health Information?
Individually-identifiable health information that is transmitted or maintained in form or medium
Torts are either _____ or _____.
Intentional Unintentional
False imprisonment
Intentional, unlawful restraint or confinement of a person.
Invasion of privacy
Interfer with a person's right to be left alone.
ICD-9-CM
International Classification of Diseases, Ninth Revision, Clinical Modification. Mandatory code set used by the United States. It provides rules for selecting and sequencing diagnosis codes in both the inpatient and the outpatient environments.
What is considered an unauthorized disclosure?
Invasion of Privacy
Law
Is a rule of conduct or action.
Security
Is a safeguard to protect electronic health info
Ethics
Is a standard of behavior.
Contracts
Is a voluntary agreement between two parties in which specific promises are made for consideration.
What can override a patient's preference regarding the release of PHI?
Judicial Orders
In Ohio, who has access to a child's medical records?
Legal Guardian
Affiliated Covered Entities
Legally separate entities with common ownership and control - permits use of PHI between facilities
Minimum Necessary Information
Limiting use and disclosure of Personal Health Info ("Patient's name, appointment time, doctor")
_____________ A will in which the patient requests not to be kept alive by medical life-support systems in the event of a terminal illness
Living Will
MSDS
Material safety data sheets
What is Beneficence?
Maximize possible benefits and minimize possible harms
US Treasury
Monies collected under penalties imposed under the Privacy Rule are deposited by the ________, not disbursed to the complainant.
Can providers release a patient's private health information to life insurers, financial institutions, employers, marketing firms, or another outside business for purposes not related to the patient's health care?
NO, unless the patient signs a specific authorization allowing the release.
A patient's sister calls to check on her, what information can you give her?
NONE, you cannot even say that she is a patient.
Notice of Privacy Practices
NPP. Notice that HIPAA requires CE's to give their patients. Briefly tells patients about their new HIPAA rights and how to use them
When a patient requests that his or her health information not be disclosed to anyone, who can the healthcare provider disclose the information to?
No One
Does using email mean the provider is a covered entitity
No, The transmission must be in connection with a transaction, sent electronically directly or using a billing service or other third party to do so on its behalf.
NPP
Notice of Privacy Practice -must be given to all patients -clear language -include an example of TPO
Before a procedure is carried out, a _________ must be given to the patient
Notice of Privacy Practices
What is a document that explains to patients how his or her PHI may be used and disclosed?
Notice of Privacy Practices (NOPP)
What must providers create, which details their policies and procedures, and make it available to anyone who requests it?
Notice of Privacy Practices (NOPP)
violation of privacy rules is enforces by____
OCR
Availability:
OD pro go down => can't access the info
Can a physician's office FAX my medical information to another physician's office?
The HIPAA Privacy Rule allows doctors to share your medical information for treatment purposes. This can be done by FAX, telephone or other means. YOUR HEALTH CARE PROVIDER IS REQUIRED TO PUT IN PLACE REASONABLE AND APPROPRIATE SAFEGUARDS TO PROTECT YOUR MEDICAL INFORMATION. For example, your doctor's staff needs to confirm that the fax number they are using is correct.
Protected Health Information (PHI)
The HIPAA terminology for individually identifiable health health information in any medium, except such information maintained in education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records.
The dental office must document that each pt received _______
The NPP acknowledgement (notice of privacy practices) -the patients signs the notice -if pt does not want to sign document your good faith effort to obtain their signature
Who must comply with the new HIPAA privacy standards?
The Privacy Rule covers: 1. Health plans 2. Health care clearinghouses 3. Health care providers who conduct certain transactions electronically
Office for Civil Rights (OCR)
The division of Health and Human Services responsible for enforcing the HIPAA privacy rules. Privacy is considered a civil right.
office for civil rights
The division of Health and Human Services responsible for enforcing the HIPAA privacy rules. Privacy is considered a civil right.
Centers For Medicare and Medicaid Services (CMS) (Formaly known as HCFA)
The division of health and human services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.
Electronic Data Interchange (EDI)
The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.
electronic data interchange
The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.
Department of Health and Human Services (HHS)
The federal department that administers federal programs covering public health and welfare.
Department of Justice (DOJ)
The federal government's main law enforcement division.
Health Insurance Portability and Accountability Act (HIPAA) of 1996
The federal legislation covering rules regarding the health care industry, specifically how it is administered and rights of patients in regard to health care coverage and privacy.
Does the Privacy Rule set limits on how health plans and covered providers may use individually identifiable health information?
YES - To promote the best quality care for patients, the rule does NOT restrict the ability of doctors, nurses and other providers to share information needed to treat their patients. HOWEVER, in other situations personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purposes.
Can I still pick up prescriptions for a family member?
YES - Under HIPAA, a family member or other individual may act on the patient's behalf "to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information."
May providers charge patients for the cost of copying and sending their requested medical records?
YES.
A clinic places patient charts in a plastic box outside of exam room. Would this practice be considered sufficiently secure
Yes
May a PT "discuss" patient's symptoms/treatment with another health care professional via email
Yes
A visitor calls to ask location and general condition of a friend. Are you permitted to disclose information?
Yes (if you recognize voice; you can be vague...if spouse, family member, etc)
Can state modify HIPAA?
Yes -- they can make rules stricter
In the patients' bill of rights is the consumer responsible for anything?
Yes : responsibilities are ones that patient must do... maintain good health
Can a provider disclose relevant info if the patient is not present or incapacitated?
Yes, if it is in the patient's best interest.
written authorization
______ must be obtained before information can be shared with anyone if the use of patient information does not fall under TPHCO
which of the following is the violation of the stark law___
a
privacy and security officer
a pharmacy often has a ___________ who handles disclosure of PHI. this officer usually receives referred requests from patients to access or amend their records, and strives to handle them in a timely manner.
regulation
a standard or guideline
The three criteria for criminal liability under HIPAA
a. To "knowingly" obtain or disclose individually identifiable health information b. False pretenses c. Intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm
What information can be disclosed without consent
abuse STI transmission by state vehicular accidents under influence research cadavers
technical safeguards
access control, audit control, integrity, person or entity authentication and transmission security
150
according to AHIMA an average of ____ people have access to patient medical record during a atypical hospitalization
Attribution/ non-repudiation
actions taken are traceable
patient sign-in sheets sould not contain
address, phone, or insurance carrier
what are 3 safeguards to protect ePHI in the security rule?
administrative, technical and physical
Centers for Medicare and Medicaid Services
agency that enforces non-privacy standards
Department of Justice
agency that prosecutes criminal violations
Office of Inspector General
agency that prosecutes fraud and abuse in the healthcare industry while overseeing Medicare and Medicaid
privacy rule
all PHI is to be private in any form or media
What are advanced directives?
allow patient to make decisions regarding care
State law preemption
allowed HIPAA to supersede state laws unless HHS decided otherwise; however, when state law is stronger, it must be followed.
authorization
allows use and disclosure of PHI for reasons other than TPO
minimum necessary
amount of information necessary to do the job
Healthplan
an individual or group plan that provided or pays the cost of medical care
The school can track down when, where, who and what info we look at on the EMR
because we have to log in to the system
organization requirements
business associate contacts and require of group health plans
BAC
business associate contract
ICD-9-CM
code set used for identifying disease and conditions
ICD volume 3
code set used for inpatient hospital services
HCPCS
code set used for items, supplies, and non-physician services
CPT-4
code set used for medical procedures and services
What is CC?
comfort care (pain meds, oxygen, nutritional support, supporting body, clearing the airway)
What is DNR/CC
only Tx for comfort care- NO CPR
Access Control
only authorized peresons, for authroized uses
"Covered Entity"
organization responsible for HIPAA compliance.
monitor for compliance investigate breaches report
organizations have a responsibility to ____ ____ ____ and must ____ ____ and ____ to its privacy officer
register a complaint violated
patients have the right to ____ ____ ____ with federal agencies and the facility if they feel their rights have been ____
opt out
patients right to refuse to be in directory or clergy list
Criminal Penalties
penalties assessed for intentional misuse of PHI, can be as high as $250,000 and up to 10 years in prison.
Civil Penalties
penalties usually given for violating privacy on an unintentional basis. can be as high as $25,000 in fines per year
consent
permission to disclose for reasons of TPO
incidental disclosures
permits ____ ____ that cannot be "reasonably prevented"
prescriber, pharmacist
pharmacy techs are not authorized to make medication decisions for patients-- they must follow the exact instructions of the _____ and the ________.
pharmacist, privacy officer
pharmacy techs should refer issues related to the disclosure of a child's PHI to the _______ or the _______.
trading partners
pharmacy, outside labs, health insurance company
compliance plans
plans that are designed to prevent illegal practices. they may serve as legal defense in the case of prosecution for fraud.
organization policies and procedures and documentation requirements
policies and procedures documentation
avoiding incidental disclosures
posting signs so others stay back keeping papers turned over at desk no visible names outside medical records when transported through facility keeping printers, copiers, fax machines in non-visible places and removing information quickly
minimum necessary
premise that limits disclosed details to only what is necessary
Every agency must appoint a _______
privacy officer
What is a tort?
private or civil injury; types include unintentional or intentional
risk analysis
process for cost effective security measures
What is malpractice?
professional negligence
What does HITECH Act do?
promotes the adoption and meaningful use of health information technology
What does stand for PARATOH?
protect against reasonably anticipated threats or hazard/ disaster plan
What does stand for P.A.U.D. ?
protect against unauthorized disclosure
What does every agency must provide?
provide education of HIPAA and organizational policies and procedures
Health insurance plan
these plans include group health plans, HMOs, Medicare, Medicaid, supplemental Medicare policies, long-term policies, employee benefit plans, TRICARE, CHAMPVA, Indian Health Service, Federal Employees Health Benefits Program, approved childe health plans, high-risk plans, etc.
electronic medical records
these records are legal records of a care delivery organization up which an EHR is based.
electronic health records
these records are owned by the patient or person who has a stake in the outcome, provides an interactive patient access.
electronic medical records
these records are preferred over paper records because they can be accessed more quickly, and take less room to store
electronic medical records
these records may be share between authorized healthcare professionals more easily than paper records.
Integrity:
things can't be changed on EMR. you can add more info with marked => never lose stuff
COBRA
this act of 1985 allows employees who are leaving a job to elect to continue their previous employer's health coverage for a limited time.
TPHCO
this concerns PHI that may be shared in order to provide treatment, process payment, and operate medical business: treatment mostly concerns discussions with other healthcare providers, payment refers mostly to health insurance, and healthcare operation includes training and accreditation. .
Healthcare provider
this includes hospitals, nursing, facilities, rehabilitation facilities, hospices, home health care, pharmacies, private practices, dental practices, labs, chiropractors, osteopaths, podiatrists, and therapists.
Title I
this part of HIPAA gave certain people the ability to enroll in new healthcare plans of different types.
Title II
this part of HIPAA restricted electronic transfer of healthcare data, gave patients more rights regarding their own personal information, and put in place better security of this information.
Title II
this part of HIPAA sought to reduce paperwork, simplify internet form processing, and standardize the administration of healthcare information.
Minimum necessary standard
this protects against too much information being given to any specific person or entity
HIPAA training
this training is required of pharmacy techs and pharmacists to be acquainted with all policies and procedures designed to protect PHI
offender did not know ($100-25,000)
tier A
reasonable cause and not willful neglect (1,000-100,000)
tier B
willful neglect and violation was corrected (10,000-25,000)
tier C
willful neglect and organization did not correct (50,000-1.5million)
tier D
What is the goal of HIPAA?
to protect confidential information from improper use or disclosure
Office for civil rights
to who may complaints against providers handling of PHI may be made
confidentiality
under HIPAA, healthcare providers ensure that patient _______ is always maintained
What is one of the biggest threats to patient privacy?
unintentional disclosure of information
What is false imprisonment?
unlawful restraint
What is battery?
unlawful touching of another
under HIPAA fraud include___
upcoding
Information "use"
use within organization.
10 safeguards for computers
user access control, passwords, workstation security, portable device security, safe internet access, report security incidents and breaches, email policies and security, recycling electronic computers and media
