Electronic Health Record Chapter 10

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

CMS permits the authentication of medical records by _____ ______ but does not specify methods.

Computer key

must notify affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, the media following the discovery of a breach of unsecured PHI. Business associates must notify covered entities if a breach has occurred. The OCR must post a list of breaches that affect 500 or more individuals.

Covered Entities

Digital signatures use a branch of mathematics called ______

Cryptography

use a branch of mathematics called cryptography and PKI, which stands for Public Key Infrastructure.

Digital signatures

Because of this difference, security discussions are assumed to be about the protection of electronic health records, but the Security Rule actually covers all PHI that is stored electronically. This is called .

EPHI

EDI

Electronic Data Interchange

This identifier is used to identify employer-sponsored health insurance. It is the same as the federal Employer Identification Number (EIN) employers are assigned for their taxes by the Internal Revenue Service.

Employer Identifier

HIPAA is an acronym for the

Health Insurance Portability and Accountability Act

HHS

Health and Human Services

HIPAA implementation and enforcement is under the jurisdiction of several entities within the U.S. Department of _____ ____ _____ ______

Health and Human Services (HHS)

ICD-10-CM

International Classifications of Diseases, 10th revision, Clinical modfication

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.

Media Notice

This identifier has not yet been implemented, but when it is it will be a unique identification number assigned to each insurance plan and to the organizations that administer insurance plans, such as payers and third-party administrators.

National Health Plan Identifier

This type of identifier is assigned to doctors, nurses, and other healthcare providers.

National Provider Identifier

OCR

Office for Civil Rights

A healthcare entity may use or disclose _____ for its own treatment, payment, and healthcare operations activities. For example, a hospital may use _____ to provide healthcare to the individual and may consult with other healthcare providers about the individual's treatment.

PHI

What do the acronyms PHI and EPHI represent?

PHI - Protected Health Information; EPHI - Protected Health Information in Electronic Format

In general, these are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off-site computer backups.

Physical safeguards:

HIPAA privacy rules frequently refer to PHI or ___ ____ ____. PHI is the patient's personally identifiable health information.

Protected Health Information

PKI

Public Key Infrastructure

To fully comply with the Privacy Rule, it is necessary to understand and implement the requirements of the ____ _____. There are clearly areas in which the two rules supplement each other because both the HIPAA Privacy and Security rules are designed to protect identifiable health information.

Security Rule

_____ awareness and _____for all new and existing members of the workforce is required.

Security awareness and training

must address how to identify security incidents and provide that the incident be reported to the appropriate person or persons.

Security incident procedures

defines physical safeguards as physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.

The Security Rule

involves the successful identification and authentication of the signer at the time of the signature, binding of the signature to the document, and nonalterability of the document after the signature has been affixed. Only "digital signatures" meet all three of these criteria.

The electronic signature process

TPO

Treatment, Payment, Operation of healthcare practice

The Privacy Rule originally required providers to obtain patient "_______" to use and disclose PHI except in emergencies. The rule was almost immediately revised to make it easier to use PHI for the purposes of treatment, payment, or operation of the healthcare practice.

consent

A ___ _____ is not a valid permission to use or disclose protected health information for a purpose that requires an authorization under the Privacy Rule.

consent document

HIPAA documents refer to healthcare providers, plans, and clearinghouses as ____ _____.

covered entities.

healthcare organization and all of its employees.

covered entity

Authorizations are usually ______ for researchers to use PHI. The only difference in a research authorization form is that it is not required to have an expiration date. The authorization may be combined with consent to participate in a clinical trial study for example.

required

HIPAA requires the use of standard sets of codes. Two of those standards are: ◆ Diagnoses ____ _____ ◆ Procedure _____ _____ ____ _____

(ICD-10-CM) codes (CPT-4 and HCPCS) codes

Valid electronic signatures must meet three criteria. 1. ____ _____ means the recipient must be able to confirm that the document has not been altered since it was signed. 2. ______ The signer must not be able to deny signing the document. 3. ____ ______ The recipient must be able to confirm that the signature was in fact "signed" by the real person.

1. Message Integrity 2. Nonrepudiation 3. User Authentication

The Administrative Simplification Subsection has four distinct components:

1. Transactions and code sets 2. Uniform identifiers 3. Privacy 4. Security

The ____ _____ also added new requirements regarding the occurrence of a breach of unsecured protected health information.

HITECH Act

is the first step. It is used to establish the administrative processes and procedures.

The Security Management Process

What happens if a healthcare facility experiences a power outage, a natural disaster, or other emergency that disrupts normal access to healthcare information? __ ______ _____ consists of strategies for recovering access to EPHI should the organization experience a disruption of critical business operations. The goal is to ensure that EPHI is available when it is needed.

A contingency plan

are the policies, procedures, and actions to manage the implementation and maintenance of security measures to protect EPHI.

Administrative Safeguards

Security Standards

Administrative safeguards Physical safeguards Technical safeguards:

In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.

Administrative safeguards:

are "hardware, software, and/or procedural mechanisms that record and examine activity in information systems."

Audit Controls

Within Workforce Security there are three addressable implementation specifications: 1. _____ or _______ _______ is the process of determining whether a particular user (or a computer system) has the right to carry out a certain activity, such as reading a file or running a program. 2. Workforce Clearance Procedure Ensure members of the workforce with authorized access to EPHI receive appropriate clearances. 3. Termination Procedures Whether the employee leaves the organization voluntarily or involuntarily, termination procedures must be in place to remove access privileges when an employee, contractor, or other individual previously entitled to access information no longer has these privileges.

Authorization or Supervision Authorization

"The HIPAA Privacy Rule applies only to covered entities—healthcare providers, plans, and clearinghouses. However, most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.

Business Associates

(COB)

Claims or Equivalent Encounters and Coordination of Benefits

are policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed.

Facility Access Controls

Before _____, no generally accepted set of security standards or general requirements for protecting health information existed in the healthcare industry.

HIPAA

gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their healthcare providers, as well as to be informed of their privacy rights with respect to their personal health information.

HIPAA Privacy Rule

The first section of the regulations to be implemented governed the electronic transfer of medical information for business purposes such as insurance claims, payments, and eligibility.

HIPAA Transactions and Code Sets

The Security Rule defines ___ _____ as "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it."

Technical Safeguards

In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.

Technical safeguards:

outlines the procedures for limiting access to only those persons or software programs that have been granted access rights by the Information Access Management administrative standard (discussed earlier).

The Access Control standard

accepts the use of electronic signatures in hospital, ambulatory care, home care, long-term care, and mental health settings. The Joint Commission requirement for electronic signatures and computer key signatures is simple: "The practitioner must sign a statement that he or she alone will use it."

The Joint Commission

There are three exceptions to the definition of "breach": ◆ _____ _______, access, or use of PHI by an employee of a covered entity or business associate ◆ ______ ________ of PHI from an authorized person to another authorized person at the covered entity or business associate ◆ If the covered entity or business associate has a good faith belief that the _____ ______, to whom the impermissible disclosure was made, would not have been able to retain the information

Unintentional acquisition Inadvertent disclosure impermissible disclosure unauthorized individual

or Other Arrangement Covered entities should have a written agreement with business associates ensuring the security of EPHI. Government agencies that exchange EPHI should have a Memorandum of Understanding.

Written Contract

Covered entities must provide ____ _____ written notice by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically

affected individuals

A ______ is defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputation, or other harm to the affected individual.

breach

To protect the patient's information while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research, the Privacy Rule ___ ____ some exceptions that permit researchers to access PHI without individual authorizations. Typically, these are cases where the patients are deceased;

does allow

HIPAA standardized these formats by requiring specific transaction standards for____ ____ __ ____ ___ ____ ____ _____. Two additional EDI transactions are not yet finalized. The HIPAA transactions are:

eight types of EDI or Electronic Data Interchange

However, the Privacy Rule covers PHI in all forms of communications, whereas the Security Rule covers only ____ ____.

electronic information

Ongoing _______ of security measures is the best way to ensure all EPHI is adequately protected. Periodically evaluate strategy and systems to ensure that the security requirements continue to meet the organization's operating environments.

evaluation

Unlike the Privacy Rule concept of consent, authorizations are not ______. A new authorization is signed each time there is a different purpose or need for the patient's information to be disclosed.

global

Covered entities are required to provide a notice in plain language that describes: ◆ How the covered entity may use and disclose protected ______ _______ about an individual. ◆ The individual's rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity. ◆ The covered entity's legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information. ◆ Whom individuals can contact for further information about the covered entity's privacy policies."4

health information.

The HIPAA law was intended to: ***Know this*** ◆ Improve portability and continuity of ____ _____ _____. ◆ Combat ____, _____, and ______ in health insurance and healthcare delivery. ◆ Promote use of ____ _____ accounts ◆ Improve access to ____ ____ ___ ◆ Simplify _______ of health insurance

health insurance coverage waste, fraud, and abuse medical savings long-term care administration

There may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized to act on behalf of the individual in making healthcare related decisions is the

individual's personal representative.

Protecting the _____ of EPHI is a primary goal of the Security Rule.

integrity

The term consent has multiple meanings in a medical setting. Informed consent refers to the ___ _____ to receive medical treatment having been provided sufficient information to make an informed decision. Consent for medical procedures must still be obtained by the practice.

patient's agreement

Under the Privacy Rule the term consent is only concerned with use of the ___ ____, and should not be confused with consent for the treatment itself.

patient's information

Authorization differs from consent in that it does require the ___ _____ to disclose PHI.

patient's permission

The covered entity's contract or other written arrangement with its business associate must contain the elements specified in the privacy rule. For example, the contract must: ◆ Describe the ____ and _____ uses of protected health information by the business associate; ◆ Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and ◆ Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract."

permitted and required

Healthcare providers have a strong tradition of safeguarding private health information and have established privacy practices already in effect for their offices. For instance: ◆ "By ___ ____ when discussing a patient's condition with family members in a waiting room or other public area; ◆ By avoiding using ___ ____ in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality; ◆ By isolating or locking ___ ___ or _____ rooms; or ◆ By providing ____ _____, such as passwords, on computers maintaining personal information.

speaking quietly patients' names file cabinets or records additional security

User Authentication

the recipient must be able to confirm that the signature was in fact "signed" by the real person.

Nonrepudiation

the signer must not be able to deny signing the document.

HIPAA established ____ _____ standards to be used on all claims and other data transmissions.

uniform identifier

Message Integrity

—the recipient must be able to confirm that the document has not been altered since it was signed.

The appearance of an authorization form is up to the practice, but the Privacy Rule requires that it contain specific information. The required elements are: ◆ Date ____ ◆ ________ date ◆ To whom the information may be _____ ◆ What is _____ to be disclosed ◆ For what purpose the ______ may be used

◆ Date signed ◆ Expiration date ◆ To whom the information may be disclosed ◆ What is permitted to be disclosed ◆ For what purpose the information may be used


Ensembles d'études connexes

10.05.16 (Structure & Function of Myoglobin and Hemoglobin)

View Set

intro to business ( entrepreneurship test)

View Set

English Authors, Dramatists and poets

View Set

Counseling and Helping Relationships

View Set

World History Chapter 13 Vocabulary

View Set

Psychology Chap. 2 Online Practice Questions

View Set

The three orders of Medieval society

View Set

Korean slang p1 (found on 90daykorean)

View Set

Wilkins Chapter 25: The Dental Hygiene Care Plan

View Set