CRM: Module 2 - Cancer Data & Confidentiality
3 Legal aspects generally relate to the law & the term law encompasses. Name them.
1) Common law or law established by court decisions 2) Statutory laws is prescribed by legislation 3) Administrative law formulates rules and regulations necessary to carry out the intent of the law
Never release confidential registry data for:
1) Marketing 2) Recruiting patients by healthcare facilities or providers 3) Aiding insurance companies in their decisions to insure 4) Aiding employers or potential employers 5) Publishing or for the press 6) Granting a request from the general public
Policy and procedures for security should include information concerning:
1) Physical safeguards 2) Remote access 3) Disposal of confidential information
3 objectives of "Administrative Simplification:"
1) Protect consumer rights 2) Improve healthcare 3) Increase efficiency & effectiveness
The 3 main function of a registry is to:
1) Provide data for clinical purposes, 2) Research, 3) Administrative planning
What 3 things define the legal aspects of cancer registry data?
1) State and national laws, 2) Regulations from governmental & non-governmental agencies, 3) Institutional policies
A covered entity is defined as:
1) a health plan 2) a health care clearinghouse 3) a health care provider who transmits any health information in electronic form
What are the 3 security safeguard categories of HIPAA Security Rule?
1) administrative 2) physical 3) technical
2 most commonly used features for the protection of ePHI at an individual user level are:
1) device encryption (scrambling of information) 2) 2 factor authentication (additional security step beyond strong password)
The Office for Civil Rights (OCR) enforces both the Privacy Rule and the Security Rule by: (name 3)
1) investigating complaints 2) conducting reviews to determine the compliance of covered entities 3) performing educational & outreach activities to foster compliance
Name 3 things the Family Educational Rights and Privacy Act of 1974 (FERPA) was enacted to do:
1) safeguard individual privacy from the misuse of federal records 2) provide individuals access to records concerning them that are maintained by federal agencies 3) establish a Privacy Protection Study Commission
The Privacy Protection Study Commission (established by the Family Educational Rights and Privacy Act of 1974)'s purpose was to evaluate the statue and provide recommendations for its improvement.. Name the 4 sets of rights it enacted for individuals:
1) to find out what information is collected about the individual 2) to see & have access to a copy of that information 3) to correct or amend the information if inaccurate 4) to control disclosure of that information
When were covered entities, other than small health plans, required to fully comply with the HIPAA rules? 4/14/2001 4/14/2002 4/14/2003 4/14/2004
4/14/2003
What governs the conduct of members of the registry profession?
A Code of Ethics
Which of the following statements accurately describe HIPAA? A - Health Insurance Portability and Accountability Act B - A federal law that protects patient confidentiality and Protected Health Information (PHI) C - Does not allow for the release of any aggregate data A and B
A and B
__________________ ________________ are understood in the field of cancer registration to mean data that do not contain any elements of protected health information (PHI).
Aggregate data. Aggregate data represent totals of de-identified patient data & don't typically require the same safeguards that an institutional review board (IRB) or committee on human research (CHR) may require.
According to the HIPAA Privacy Rule, which of the following does not require patient authorization before releasing health information? Sending cancer data to the National Cancer Data Base Sending cancer data to the state central cancer registry Providing other health care facilities with patient treatment information Allowing state cancer registry staff to review patient records when necessary All of the above
All of the above
Administrative laws or rules define which of the following for reporting cancer information to State cancer registries? Who is required by law to report cancer cases How to report cancer cases Which cases must be reported Penalties for non-compliance All of the above
All of the above
Confidentiality policies and procedures should protect the privacy of ________. patients physicians healthcare facilities All of the above
All of the above
The HIPAA Privacy Rule gives an individual a right to an accounting of disclosures of their health information to all of the following except ________. A - cancer information sent to the state cancer registry B - disclosures necessary to carry out treatment C - disclosures necessary to file for billing reimbursement All of the above
All of the above
The cancer registry's confidentiality policies and procedures for the release of cancer registry data should ________. be approved by the institution and the cancer committee clearly define circumstances under which the registry can release information include employee confidentiality pledges All of the above
All of the above
Which of the following steps should the cancer registry conduct when evaluating confidentiality and security procedures? A - Identify the risks of disclosure of confidential information. B - Create and implement a plan to reduce the risk of releasing confidential information. C - Train all department staff on the privacy and security of confidential information. D - Monitor the implementation and correct any breaches of policy and procedure. All of the above B and D
All of the above
Which of the following would be an example of wrongfully releasing confidential cancer registry data? Giving it to a reporter wanting to bring awareness about cancer Giving it to a company wanting to market a cancer related product in the area Giving to a group of physicians to assist in the start-up of a new oncology practice in the area All of the above
All of the above
a formal confidentiality protection authorized under Section 308(d) of the Public Health Service Act. It is used for projects conducted by CDC staff or contractors that involve the collection or maintenance of sensitive identifiable or potentially identifiable information.
Assurance of Confidentiality
The HIPAA Privacy Rule requires a Business Agreement for which of the following? A - Between private practice physicians and hospitals B - Between a hospital and the American College of Surgeons C - Between a hospital and registrars under contract from a vendor D - Between a hospital and state cancer registry staff B and C
B and C
This Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
Breach Notification Rule
______________________ or state cancer registries are authorized by statutory law and have administrative rules (or laws) that should clearly delineate the rules and regulations necessary to comply with the reporting law.
Central
A requirement that a person act toward others and the public with the watchfulness, attention, caution and prudence that a reasonable person in the circumstances would use. If a person's actions do not meet this standard of care, then the acts are considered negligent, and any damages resulting may be claimed in a lawsuit for negligence.
Duty of Care
In terms of the HIPAA Privacy Rule, which of the following is NOT a Covered Entity? Hospitals Laboratories A health care plan Private practice physician Employer
Employer
This Rule provides standards for the enforcement of all the Administrative Simplification Rules.
Enforcement Rule
A system of moral principles or values.
Ethics
For those other than cancer registry department staff, which of the following statements is true? Temporary employees do not need to be trained about HIPAA. Contract staff do not need to be trained about HIPAA. Everyone who works in department, including unpaid volunteers, contract employees, and casual laborers, must be trained on HIPAA. No one else needs to be trained about HIPAA.
Everyone who works in department, including unpaid volunteers, contract employees, and casual laborers, must be trained on HIPAA.
True or False? Hospital cancer registry employees with computer access to the facility's electronic medical record are allowed to look up information on their own non-cancer related hospital admissions without having to go through the formal release of information process.
FALSE
One of the 1st federal laws to provide specific, statutory protection for patient privacy was the ____________________________________________ of 1974.
Family Educational Rights and Privacy Act of 1974 (FERPA)
The most important federal law that impacts the work of cancer registrars is the _____________________________________________.
Health Insurance Portability & Accountability Act signed into law in 1996. (HIPAA)
______________________________ has standards for confidentiality, disclosure of data, and information that legislation and regulations should specify.
NAACCR
Registrars have a professional code of ethics published by which of the following organizations? NCDB HIPAA NAACCR NCRA ACoS
NCRA
The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted. These are the 18 HIPAA Identifiers that are considered personally identifiable information:
Name Address (all geographic subdivisions smaller than state, including street address, city county, and zip code) All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89) Telephone numbers Fax number Email address Social Security Number Medical record number Health plan beneficiary number Account number Certificate or license number Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web URL Internet Protocol (IP) Address Finger or voice print Photographic image - Photographic images are not limited to images of the face. Any other characteristic that could uniquely identify the individual
This Rule implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, to strengthen the privacy and security protections for health information established under HIPAA.
Omnibus Rule
_____________________________ refers to the requirements of restricting access, use and disclosure of confidential information to parties with privilege to the information
Privacy
This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.
Privacy Rule (12/2000; HHS)
__________________________ and _____________________ are a team of protections meant to prevent unintended access, use, and disclosure of confidential information.
Privacy and Security
______________________ is the methodology by which privacy or confidentiality is attained.
Security
This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.
Security Rule (published by HHS 3/2003)
Which Act prohibits discrimination on the basis of genetic information with respect to health insurance and employment? What year was it enacted?
The Genetic Information Nondiscrimination Act (GINA) 2008
Which Act requires financial institutions - companies that offer consumers financial products or services like loans, financial or investment advice, or insurance - to explain their information-sharing practices to their customers and to safeguard sensitive data? What year was it enacted?
The Gramm-Leach-Bliley Act 1999
Who is responsible for enforcing both the Privacy Rule and the Security Rule?
The Office for Civil Rights (OCR)
The Health Information Technology for Economic and Clinical Health (HITECH) Act was created to encourage the implementation of electronic medical records (EMR) & supporting technology in the US health care facilities. Why?
To cut down on the cost of health care by sharing information between doctors, hospitals and other ePHIs. It requires medical professionals, subcontractors, companies that cover the transmission of PHI, electronic prescription gateways, and patient safety organizations to be HIPAA compliant.
YES OR NO A community group wants to investigate a very rare type of cancer. The cancer registry provides a report with the survival rates grouped by the type of surgery and the primary surgeon. Is this violating confidentiality?
YES
Under the HIPAA rules, can the hospital registry report cases of cancer to the central cancer registry? Yes, a business agreement or patient authorization is not required. Yes, as long as there is a business agreement in place. Yes, as long as there is a patient authorization on file. No.
Yes, a business agreement or patient authorization is not required.
Under the HIPAA rules, can one hospital cancer registry provide follow-up and treatment information to a different hospital cancer registry? Yes, under any circumstance. Yes, as long as there is a business agreement in place between the two hospitals. Yes, as long as there is a patient authorization on file. Yes, as long as both hospitals have had a relationship with the patient. N
Yes, as long as both hospitals have had a relationship with the patient.
The Privacy Rule & Security Rule was established by who? For what?
a) established by the US Department of Health & Human Services (HHS) b) to implement technical requirements of the law.
Business associate functions and activities include:
claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.
The portion of HIPAA entitled "Administrative Simplification" calls for the implementation of:
common sense privacy and security protection of personal information to moderate risks posed by modern technology.
A return address using the words Cancer Registry, or other similar terms should not be used on envelopes containing materials or requests for information that are sent to patients primarily because ________. the patient may not know what the Cancer Registry is the letter may be mistaken for a request for a donation it violates the patient's privacy
it violates the patient's privacy
Cancer registrars can protect the security of electronic information by ________. logging off of the computer system whenever leaving the work area. having one password for the cancer registry database for all cancer registry staff. using your name as your password. allowing your co-worker to log on using your password.
logging off of the computer system whenever leaving the work area.
The __________ is responsible for monitoring the release of confidential information and accounting for disclosures.
registry
The HIPAA Standards for Privacy of Individually Identifiable Health Information is known as _______?
the Privacy Rule (went into effect in 2003)
The HIPAA Security Standards for Protection of Electronic Protected Health Information is known as _______?
the Security Rule.
Individually identifiable information includes all of the following except ________. the ability to deduct the patient's identity the patient's address the patient's treatment the organization's employees
the organization's employees
What is the purpose of HITECH?
to convert our nation's health care records into digital formats
A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.
"business associate"