HIPPA

An oncology practice requires all patients to sign in when they arrive at the office. Is this a violation of HIPAA?

Covered entities, such as physician's offices, may use patient sign-in sheets or call out patient names in waiting rooms, as long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).

Under HIPAA, a patient has the right to request an amendment to his/her medical record, and the hospital has a duty to comply.

False

Under normal circumstances, a patient does not have the right to obtain a copy of his or her confidential health information.

False

HIPAA is a federal law which is enforced by:

OCR - Office for Civil Rights of the Department of Health and Human Services

The Privacy Rule states that release of patient information may be done for three purposes only. These are Treatment, Payment and

Operations

Using PHI for quality assurance, teaching or auditing purposes would fall under which portion of the allowed purposes for release of PHI?

Operations

Using PHI for patient registration or coding purposes would fall under which portion of the allowed purposes for release of PHI?

Payment

Restricting access to the IT Department of a hospital would fall under which type of safeguard required by the Security Rule of HIPAA?

Physical

Criminal penalties for the violation of HIPAA rules can involve as much as $100,000 in fines and 5 years in prison if an offense is committed under false pretenses.

True

health care provider

a provider of medical or other health services,or any other person furnishing health care services or supplies

clearinghouse

a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

this came about mainly because of

abuses of patient privacy that have occurred in many places

according to hippa all of the following can be used to identify a patient

addresses dates telephone or fax numbers social security numbers medical records numbers patient account numbers insurance plan numbers vehicle information license numbers medical equipment numbers photographs fingerprints email addresses internet addresses

privacy rule of title II

administrative simplification

health plan

an individual or group insurance plan that provides,or pays the cost of,medical care hhs department of health and human services

health information

any information,oral or recorded,in any form or medium. -is created or received by a health care provider,health plan,public health authority,employer,life insurer,school or university, or clearinghouse _relates to the past,present,or future physical or mental health or condition of an individual,the provision of health care to an individual,or the past,present or future payment for the provision of health care to an individual

code set

any set of codes used for encoding data elements,such as tables of terms,medical concepts,and medical diagnotic or procedural codes

the privacy rule became effective and health care providers.

april 14,2001

most entities subject to the rule were required to comply as of

april 14,2003

disclosures to business associates

business associates include: non-employees who perform, or assist with, tasks that involve the disclosure of identifiable health information . includes: non-employees who perform legal,billing,or administrative functions. business associate must:agree to appropriately safeguard protected health information.

cms

center for medicare and medicaid services of us department of health and human services

hippa established standards and safeguards for

documentation and transmission of health record information to assure privacy and security of this data

HIPPA applies to following covered entities under the rule

health care providers health plans health care clearinghouses

hippa

health insurance portability and accountability act

ID ANSI

hippa defines code set that serves as the standard for all electronic data interchange

unique identifiers

hippa mandated code for patients to maintain security as well as standardization for providers,health plans, and employers

patients have the right to know

how their health information may be used or disclosed

patients may

opt out of being placed in various patient directories

hippa regulations

override all state laws that define and regulate patient privacy.

the initial focus of this reform is largely on

patient privacy and data security

some portions of hippa mainly affect

personnel information systems, medical records,and administration, but other requirements affect virtually everyone working in american health care,including all those working with protected information.

PHI

protected health information,individually identifiable health information

portability deals with

protecting health care coverage for employees who change jobs,and allowing them to carry their existing plans with them to new jobs.

notice of privacy practices(NPP)

rights are communicated through a document

electronic transaction records

set of rules that provides simplification by standardizing codes

disclosure

the release, transfer,provision of, access to, or divulging in any other manner of information outside the entity holding the information.

ICD-10

the standard coding for all diagnoses,which is based on the international classification of diseases,10th edition

two main sections of the law

title I- health care portability title II- administrative simplification

single most important key

to simplify to standardize a set of codes and transaction standards throughout the health care system

TPO

treatment,payment,or health care operations

use and disclosure of protected health information

use -sharing, examining,or utilizing information in the office/facility. disclosure- release of information in any manner to a person or entity outside of the office/facility.

implementation of hippa regulations

will not only protect security but will also improve efficiency and exchange of information in health care. thus improving the portability of health insurance.

authorization

written document signed by a patient giving permission to disclose protected health information.

The HIPAA Privacy Rule protects:

written, verbal and electronic data

computers

-all information must be secured -proliferation of computers in medicine has created new dangers for breaches of confidentiality -everyone who uses the computer has aduty to keep the information secure.

information subject to the rule

-any information created by health care providers or other entities. -can be oral,written,or electronic is related to- present,past or future physical or mental health or condition an individual. all personal and medical information in a hospital. provision of health care to an individual. billing or payments made for the provision of health care to an individual. -if information is not( individually identifiable) it is excluded from the protections of the privacy rules. -in general,information about a patient can be shared if directly related to treatment.

marketing

-before hippa,it was not uncommon for patient information to be released to other companies for the purpose of marketing. -HIPPA states you must get signed authorization before doing this.

the MA/ Phlebotomist will be responsible for reporting what to the local health department

-births and deaths -cases resulting from violence -death from accidental,suspicious or unexplained causes -occupational diseases and injuries -STDs -AIDS -suspected child abuse

nurse station/ front desk security

-blank computer screen or sign off -make sure public cannot read what is on screen -flat screen monitors -limited access privacy screens -do not call out patient names in a waiting roon(consider a number tag system)

chart security

-charts containing patient names or other identifiers cannot remain within view at a desk or nurse's station -charts must be stored out of public view -charts may be placed sideways on shelves -logs must be in place to record the name of every person who views records

data security

-data backup -access controls -internal audits

proper disposal of information

-do not throw away patient information -individual information must be shredded

workplace layout

-facilities must take measures to reduce the identifiability of patient information. - door tags or labels and whiteboards will have limited information: -last name only-no diagnosis,procedure,or treatment should be linked to the patient

fax and email security

-fax machines kept in a secure area -cover sheet -phone first to let other party know fax on way -email with password protection and encryption -double check name of recipient -destroy printouts immediately or put in patients chart

sharing patient information

-hippa allows for the provider to use health information for (tpo). -if use of information doesn't fall under one of these categories-must obtain written authorization before sharing information with anyone. -before hippa it was common to use patient information for other purposes. -patients must give prior authorization for use of their health information for non-TPO purposes. -minimum necessary rule-health care providers and staff should only have access to the information they need to fulfill their assigned duties.

conversations

-lower your voice level -move to a private place -avoid lunchrooms,corridors, and elevators

patient information may be disclosed to the following with out authorization

-medical researchers -funeral directors/coroners -organ tissue donation and transplant organizations -food and drug administration -correctional institutions -law enforcement purposes -disaster relief services -for work related conditions that could affect employee health -military authorities of US and foreign military personnel -judicial/administrative proceedings

the following information is disclosed in a hospital directory

-name -location -general condition -religion(only to clergy)

new rights allow patients to

-obtain a list of who their health information has been shared with for the past six years. -request to amend their medical records. -request other communications,such as asking to be notified of lab results only at work and not at home

protection of information on computers can be done by

-properly signing-on with individual ids and passwords -signing-off computers if walking away from the desk -keeping ids and passwords confidential -protecting computer screens from unwanted viewing

parents and minors

-provides parents with new rights to control the health information about their minor children -in special cases minors control their own health information -information may be released to someone who helps pay for care -information may be disclosed to assist in disaster relief efforts -family or friends may be told about patients condition and that they are in a hospital -information from a hospital may be disclosed to people who ask for patient by name

revised rights allow patients to

-review and copy their medical records -request restrictions on the use or sharing of their information

The monetary penalities for improperly disclosing patient health information can be as high as:

1.5 million dollars

For PHI disclosures in which their is personal gain, or for malicious purposes, federal penalities can include up to _____ year(s) in prison.

10

congress passed the health insurance portability and accountability act

1996. this was further defined and modified in 2002

A covered entity must act upon a request for access to PHI no later than ____ days after receipt of the request, under normal circumstances.

30

If a breach of PHI involves more than ______ patient(s), a press release must be issued to the major media informing the public of the breach.

500

The development of policies and procedures that address e-PHI security would fall under which type of safeguard required by the Security Rule of HIPAA?

Administrative

_______________ is defined as an impermissible disclosure of PHI that compromises the security or privacy of the patient.

Breach

The HIPAA Omnibus Rule has (had) a compliance date of:

September 23, 2013

The establishment of computer passwords and firewalls would fall under which type of safeguard required by the Security Rule of HIPAA?

Technical

OCR

This federal office enforces the HIPAA privacy standards.

A covered entity (CE) is liable for civil money penalties for a violation based on the act or omission of the CE's business associate.

True

For HIPAA violations, there are criminal penalties of as much as $250,000 in fines and 10 years in prison if an offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

True

Under HIPAA, criminal penalties of as much as $50,000 in fines and 1 year in prison are in effect for covered entities that knowingly and illegally obtain or disclose identifiable health information.

True

When patients pay for their healthcare bills, "out of their own pocket", they can have information kept private from their health insurance plan.

True