HIPAA Test Review

Texas Medical Privacy Act

*it is as strict as HIPAA* specifically on Texas *medical and dental providers* -This training is required once every 2 years for providers -This training is an *exact photocopy of HIPAA*

Employee rights under OSHA

-A safe and healthful workplace -Know about hazardous chemicals -Report injury to employer -Complain or request hazard correction from employer -Training -Hazard exposure and medical records -File a complaint with OSHA -Participate in an OSHA inspection -Be free from retaliation for exercising safety and health rights

How *do* I protect my patient's privacy?

-Close doors in patient's rooms when discussing treatments. -Log off the computer when you are finished. -Dispose of patient information by shredding or storing it in a locked container for destruction. -Clear patient information off of your desk when you leave your desk.

Employers responsibilities include:

-Creating workplace health and safety policies and procedures, making sure workers follow them, and -making sure workers wear and use the right protective equipment.

How to prove negligence

-Duty -Breach of Duty -Causation (2 parts) -Damages

What does the Privacy Rule establish?

-Establishes a Federal floor of safeguards to protect the confidentiality of medical information. -Allows patients to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

General groups of OSHA standards:

-General Industry -Construction -Maritime -Agriculture

What are the three types of penalties?

-Inadvertent -civil -Criminal

What characteristics of the defendant do not become "a part of" the reasonable person?

-Mental characteristics (e.g. if defendant is of below average intelligence, he can't defend his actions based on this) -Intoxication

Physical harm aspect of damage

-Money claimed by, or ordered to be paid to, a person as compensation for loss or injury" >>The law tries to restore the plaintiff to her pre-injury condition using money

What *Safeguards* do I use to protect my patient's privacy?

-Physical Safeguards -Technical Safeguards -Administrative Safeguards

What characteristics of the defendant become "a part of" the *reasonable person*?

-Physical disabilities -If defendant is a child, the child's age (unless doing an "adult activity" such as driving a car) -Defendant acted during an emergency

What are a patient's rights under HIPAA?

-Right to written Notice of Privacy Practices [NPP] that informs consumers how Protected Health Information [PHI] will be used and to whom it is disclosed -Right of timely access to see and copy records for a reasonable fee -Right to an amendment of records -Right to restrict access and use -Right to an accounting of disclosures -Right to revoke authorization

How *don't* I protect my patient's privacy?

-Tell anyone what you overhear about a patient. -Discuss a patient in public areas, such as elevators, hallways or cafeterias. -Look at information about a patient unless you need it to do your job.

What 5 things must an authorization include?

-The Protected Health Information [PHI] to be used and disclosed; -The person authorized to make the use or disclosure; -The person to whom the Covered Entity may make the disclosure; -An expiration date; -The purpose for which the information may be used or disclosed.

What are the 4 violation types of OSHA?

-Willful -Serious -Other-than-Serious -Repeated

Criminal Action vs. civil action

-prosecution has the burden of proof and is beyond reasonable doubt -plaintiff has the burden of proof and is preponderance of the evidence

What are the 4 major focus areas HIPAA consists of?

1. Electronic Data Interchange 2. Security 3. Privacy 4. National Identifiers for Health care

What some examples of Protected health information?

1. Physical and Mental health 2. Provision of health care to patient 3. Payment for the patient's health care 4. Anything that can be communicated orally in written form or through other media Ex. Name, date of birth, SS #, address, phone #, patient account #, date, location of healthcare service, Dx., Tx., meds, email address, photo, lab results.

What are the 5 parts of HIPAA?

1. Portability 2. Standardization 3. Administration Simplification 4. Accountability 5. Privacy Protection

What are the 6 patients rights of health information?

1. Receive notice of privacy policies 2. Access to health information on file 3. Limit uses and disclosures of medical information 4. Make amendments to medical record 5. Revoke authorizations 6. Have an accounting of info disclosures for up to 6 years

What are some inappropriate uses of PHI (Personal Health Information)?

1. Selling information for databases 2. Advertising

OSHA was created in _________.

1971

Employees have how many days to contact OSHA if they feel they've been punished for exercising their safety/ health rights?

30 days

If a covered entity Business Associate has a breach, how many days do they have to report it?

60 days

Report Accident to OSHA within how many hours of any fatal accident or one which 3 or more employees are hospitalized?

8 hours

Proximate cause

A cause that is legally sufficient to result in liability; an act or omission that is considered in law to result in a consequence, so that liability can be imposed on the actor -determined by foreseeability (a defendant is liable only for consequences of his negligence that were reasonably foreseeable when he acted)

tort

A civil wrong

reasonable person

A legal fiction of the common law representing an objective standard against which any individuals conduct can be measured. Each person owes a duty to behave as a reasonable person would under the same or similar circumstances.

What is a Notice of Privacy Practices?

A notice explaining how an individual's PHI will be used or disclosed, along with their rights, and the CE's legal duties.

What does HIPAA's standards provide patients with?

Access to their medical records and more control over how their personal health information is used and disclosed

civil action

An action brought to enforce, redress, or protect a PRIVATE OR CIVIL RIGHT; a NONCRIMINAL litigation

What is a breach?

An unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.

The process of giving someone permission or granting power to

Authorization

What is the civil penalty and what are the fines?

Civil- Done w/o intent to gain, but deliberate: $ 100.00 per violation up to $25,000.00 per year for each violation-

containing private information (ex. medical records)

Confidentiality

What is "Portability"?

Continuity of coverage access; denial of coverage based on pre-existing conditions

What is a criminal penalty and what are the fines?

Deliberate, for gain, causes harm- $250,000.00 in fines and/or up to 10 years jail time

Who developed HIPAA?

Department of Health and Human Services (HHS)

What can plaintiffs recover?

Direct loss Economic loss Pain and suffering

What is the mission of OSHA?

Encourage employers and employees to reduce workplace hazards and to implement new or improve existing safety and health programs

Technical safeguards are:

Every associate must keep his/her password confidential. -No photographs or recordings of any type are to be taken of patients in the clinical setting. -No cameras, tablets, cell phones or any electronic devices with photography capabilities are permitted in the clinical environment

What are some examples of the "minimum necessary" rule?

Ex. Limit use of faxes for highly sensitive information, verify numbers & availability of receiver, keep fax machines secure, remove fax promptly on arrival.

What is an example of inadvertent penalty?

Example: Nurse takes copy of lab results home with her

What is an example of a civil penalty?

Example: Practice signing in with "Reason for Visit" column

What is an example of criminal penalty?

Example: Publishing- or allowing the publishing of health status or care detail of a patient

What is negligence?

Failure to exercise the standard care that a reasonable person would give under similar circumstances Defendant *does NOT INTEND* for the bad consequence to result

What is HIPAA?

Federal privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.

What does HIPAA stand for?

Health Insurance Portability & Accountability Act

What is the Inadvertent penalty and what are the fines?

Inadvertent-standards in place, safe guards present, still happened: None

Protected Health Information (PHI)

Individually identifiable health information that is transmitted or maintained by electronic media. Relates to the past, present, or future physical or mental health of an individual Example. Name, address, telephone, fax, email, ssn, med. dx, photographs or images

What is the "minimum necessary" standard?

Information can be disclosed to other health care providers if the information is for treatment. Only minimal necessary amount of PHI is needed to perform the job.

What does HIPAA do?

It reduces health care fraud, guarantee security and privacy of healthcare info., enforce standards for electronic data interchange

Tort Law

Law that deals with harm to a person or a person's property.

How are inspections conducted?

Most are unadvised (surprised) except imminent danger

If authorization for PHI is given by the patient what are the requirements?

Must be in writing and the patient voluntarily agrees to let the organization use the information for a particular purpose

Type of Tort:

Negligence

What act created OSHA?

OSH Act

Sanitation of work cite goes with HIPPA or OSHA?

OSHA

What does OSHA stand for?

Occupational Safety and Health Administration

What is "Standardization"?

Of billing of format and language

What is "Privacy Protection"?

Oral, written, electronic information management

What is required when acting on the "minimum necessary" rule?

Patient's consent for release.

What is the patient's right if they authorize usage of PHI other than the need of Payment, Treatment, or routine operations?

Patients have the right to revoke authorization at any time in writing

What does PHI stand for?

Protected Health Information

Why was OSHA created?

Regulate and enforce safety and health standards to protect employees in the workplace

What is "Accountability"?

Same computer language industry wide

What is "Administration Simplification"?

Same computer language industry wide

What as not affected by HIPAA?

State laws providing additional protections to consumers are not affected by this new rule

Causation

There are *two aspects* of causation that must be considered: *cause in fact* and *proximate cause*

Damages

There are two aspects of damages that must be considered: *actual, physical harm and the monetary values* ascribed to those harms

What is a covered entity (CE)?

Those responsible for implementing HIPAA rules and regulations. Examples are: Health Plans, Health care clearinghouses, health care providers

When did HIPAA take effect?

Took effect on April 14, 2003.

Breach of Duty

Violation or omission of a legal or moral duty of obligation

What is protected health information?

When patients provide information to their providers they expect only people who are caring for them will see it and it be used to help care for them

Criminal Action

an action*INSTITUTED BY THE GOVERNMENT*to punish offenses*AGAINST THE PUBLIC*

to break an agreement, to violate a promise

breach

cause in fact

cause without which the event *COULD NOT HAVE OCCURRED* -determined by the "but for" test

Physical safeguards

computer terminals are not placed in public areas

The release, transfer, provision of access to, or divulging of information outside the entity holding the information

disclosure

economic loss

out of pocket costs resulting from injury (ex. medical bills, lost wages, property damage)

PPE

personal protective equipment

Administrative Safeguards

policies and procedures for release of patient information

State of being concealed; secret

privacy

Actual damage

show that you suffered actual injury (ex. broken arm, burned down house, etc)

Duty of Care

the legal obligation people owe each other not to cause any unreasonable harm or risk of harm

What happens if conflict occurs between State Law and HIPAA privacy rule?

the patient will always be given the better rights/privacy

The sharing, employment, application, utilization, examination, or analysis of health information within an organization

use

Direct Loss

value of the loss of certain bodily functions (ex. leg)

pain and suffering

value of the mental anguish plaintiff has suffered and will continue to suffer

What does HIPAA give patients?

•HIPAA gives the patients the right to inspect and copy the PHI that your facility keeps about them

What is the Minimum Necessary Rule of Thumb?

•If someone asks for information about a patient's case, ask why it is needed and disclose only the minimum amount necessary for that person to do his or her job.