Med Law and Ethics - Mod 6 - HIPAA Privacy Rule
Under HITECH, what is the maximum fine per calendar year for a breach?
1.5 million dollars
If a patient requests access to their health information, how many days the covered entity have to comply with the request or issue a denial?
30 days.
T or F: HIPAA imposes penalties for improper use or disclosure of PHI?
False.
Who is exempt from providing NPP's?
Healthcare Clearinghouses. Correctional institutions. Group healthplans under certain circumstances.
Can a patient request a restriction on disclosure of PHI?
Patients can request restrictions to the disclosure of their PHI but it is up to the CE to grant the request or not, the response must be in writing.
If a patient wants their health record amended, what must they do?
Request the amendment in writing.
According to Washington State law, when can records be destroyed?
Ten years from date of last service.
What are types of breaches?
Unintentional (example: release info in an account to someone of the same name but who is not the patient.) Intentional (example: look up your ex's account to find out why they're in the hospital)
Larry visited the HIM department at his local hospital and requested an accounting of disclosure for his health records. He was informed that the organization has 60 days to provide the information to him. After 60 days, Larry was told that the organization is unable able to comply with the original request within the designated timeframe. How much extension time is permissible for the accounting of disclosure?
30 days
County Hospital is in the process of converting paper health records to electronic format. Early in the conversion process, an employee accidentally clicked on a link connected to a phishing email which resulted in a breach of the organization's newly established firewall. Breach of the firewall resulted in compromised PHI and demographic information. Upon discovery of the breach, the organization began the process of gathering information connected to the incident. How many days does the hospital have to gather information and comply with breach notification?
60 days
Sharon was recently in the hospital for a colectomy and now has a colostomy in place. Her physician is providing additional care but happens to be located in a different town than the hospital where she had her procedure. She contacted the hospital's HIM department and requested copies of her medical records. After receiving the copies and reviewing them, she will be taking them to her physician's office for continued care. Which HIPAA component applies to this scenario?
Access and Copies
While in the hospital for surgery, Jason had complications with his schizophrenia. He was seen by the hospital psychiatrist and moved to the psychiatric floor after being stabilized, post-surgery. Jason vocalized multiple threats to harm his nurse named Jim. Although Jim was very patient when caring for Jason, Jason was convinced that Jim was going to cause harm. Because of Jason's threats, Jim was removed from Jason's case. Two months after Jason's discharge, Jason contacted the HIM department and requested copies of his records. For what reason can the copy service deny Jason's request?
Access to these records might endanger the life of another individual.
What information must an NPP include?
CE's use and disclosure of PHI. Patients rights including how to use those rights. Legal duties of the covered entity to protect the PHI. Point of contact for further info on CE's privacy policies. Effective date. Contact info for Office for Civil Rights.
What are the Omnibus 4 factors?
CEs and BAs are required by HIPAA to determine if a breach is reportable by using 1 of 4 factors to determine if a breach has occurred. 1. what PHI is involved, extent of the exposure, and the likelihood it can be traced back to an individual. 2. Who accessed the PHI and were they authorized? 3. determine if PHI was acquired or viewed. 4. determine the extent of risk mitigation that has occurred. 5. if breach confirmed, follow up action plan. **Typically 10-15 questions must be asked to determine the answers to these questions, there are forms and automated programs to facility assessment.
The hospital hired a records release company to handle all release of information requests including paper and electronic records. The hospital received a request for records from Nicole and forwarded this request to the records release company. The company copied Nicole's records, prepared them to be sent, and included a bill in the envelope with the records. When Nicole received the bill, she was upset that she must pay for information that she considers her property. Nicole went to the hospital to speak with the records release employee. The employee explained that the charge is permissible as it is a reasonable cost. Which of the following are included in the reasonable cost of records? Select all that apply.
Certain Labor, supplies, postage.
What types of disclosures do NOT require an accounting?
Disclosures that fall under TPO. Individuals requesting their own records. Disclosures required by law. Disclosures pursuant to an authorization. Disclosures for a facility's directory. Disclosures for national security or intelligence requirements. Disclosures to law enforcement. Disclosures as part of a limited data set. Disclosures prior to compliance date of HIPAA
T or F: If an unauthorized user is unable to retrieve/view the PHI, a breach must be reported?
False
T or F: If the CE or BA cannot respond to an accounting for disclosure request within the required time frame it cant get a one-year extension?
False
True or False? The Notice of Privacy Practice (NPP) does not have an effective date noted on the form.
False
T or F: A breach must be reported to the individuals affected with 30 days of the discovery of the breach?
False - 60 days.
A monetary penalty will be imposed upon any healthcare organization that improperly discloses PHI?
False - the office of the inspector general will investigate the breach and has the authority to impose the monetary penalty or not.
T or F: If a patient requests that Hospital A amend her health record to correct an error that was created by another covered entity, Hospital A can grant the amendment?
False.
If a state law and federal law conflict, which do you follow?
Federal laws are upheld above state laws unless the federal law is found to be unconstitutional. Otherwise the stricter law is to be followed.
What agency investigates breaches and has authority to impose monetary penalties?
HHS, Office of inspector general
An HIM director receives a request from the FBI for information about a patient's treatment. This patient made threats to the President and ended up in the hospital due to injuries from poison that he was preparing to send to the White House. As a result, this patient was identified as a security risk. The HIM director disclosed the information to the FBI. When the patient's attorney asked for an accounting of disclosure for the patient's health information, the disclosure to the FBI was not included. What determines information that is included and not included in the accounting of disclosure?
HIPAA Privacy Rule
What is the exception to the restriction of disclosure of PHI rule?
If a patient pays out of pocket for a service they do not want billed to their insurance than the CE must not bill the insurance or release details from that service to the insurance. The patient must make the request prior to the billing of the insurance however and payment in full prior to billing is generally required to comply with this type of request.
Not all requests to access PHI from a patient are granted, a denial WITH further review can be made. What are the circumstances in which a request from a patient to access their health record might be denied WITH further review?
If it is determined access to the record may result in: Endangerment of the life or physical safety of the individual requesting or another individual is possible. harm to another person mentioned in the info. harm to the individual or individuals rep is possible. ***All reviews must be completed by someone OTHER than the person who completed the ORIGINAL request that was denied.
When must a CE or BA notify the media of a breach?
If the breach affects more than 500 residents of a state or jurisdiction. Must be within 60 days.
A lab technician looked up his neighbor's health information because he is curious about why he was admitted to the hospital. He learned that his neighbor was diagnosed with cancer and shared this information with his wife. What type of breach occurred?
Intentional breach
What is an NPP?
It is a notice given to patients from CE's that educate a patient as to how their PHI will be used and disclosed.
The HIPAA Privacy Rule includes provisions to allow individuals control over the use and disclosure of their health information. What will be provided to the individual as an explanation for how their health information will be used?
Notice of Privacy Practices
What does NPP stand for?
Notice of Privacy Practices
The IT staff at St. Mary's discovered a widespread data breach within their billing department that occurred as a result of the failure of encryption software. Highly sensitive patient data for 800 patients including names, addresses, birthdates, social security numbers, and financial information was potentially compromised. To remain in compliance of breach notification, what are the next steps that the organization needs to take? Select all that apply.
Notice to media, Notice to the secretary of HHS, Notice to the individual
A celebrity was admitted to Community Hospital. While the celebrity was being transported to an operating room, some of the staff recognized the celebrity. One of the nurses logged into the computer and pulled up the PHI of the celebrity to read information about the celebrity's health and diagnoses. The nurse called her coworkers over to discuss the upcoming procedure, then one of the coworkers posted on social media that the celebrity is in the hospital. After HR received an alert that the patient's security was breached, ten employees were fired. What was the violation?
Privacy
Which of the following is not accessible to a patient who requests access to their medical record?
Psychotherapy notes
The Privacy Rule specifically states that individuals do not have the right of access to what information?
Psychotherapy notes. (only a summary of the counseling session is part of the medical record.) Information collected specifically for use in an administrative action or civil or criminal proceeding, or because there is reasonable anticipation of an administrative action or civil or criminal proceeding.
Patients are entitled to review the accounting of disclosure. After learning of her right to do so, Sally requested that the hospital send her the official accounting of where her health information had been released. What instance of disclosure will not be included? Select all that apply.
Receiving a copy of her own records, continuity of care, signed release of information.
Not all requests to access PHI from a patient are granted, a denial without further review can be made. What are the circumstances in which a request from a patient to access their health record might be denied without further review?
Requests for psychotherapy notes. inmate requests for PHI held by correctional institution. PHI that is created or obtained as part of a medical study. PHI obtained from someone other than the CE. PHI subject to the federal privacy act of 1974.
The Director of HIM is preparing her staff to begin purging paper records from the HIM department. Her staff has questions about purging some of the records. In order to determine retention rules, she refers to the HIPAA Privacy Rule and the applicable state law. The HIPAA Privacy Rule states that the records must be retained for six years from the date of last service. However, the state law requires records to be retained for a period of at least 10 years from the last date of service. Which retention rule should the HIM director follow?
State law
Should the HIM director follow state or federal law?
State law because it is more stringent than federal law.
What are some examples of HIM-based disclosures?
Subpoenas, without patient auth. Law enforcement requests. Court orders. State required reporting from health records Birth Certificates Insurance company reviews Other reviewers that are not for TPO State department of health Join Commission Newborn Screening
What are some examples of non-HIM-based disclosures?
Suspected domestic and child violence and abuse reporting. Incident reporting to outside entities Government discharge reporting Other planning databases and reporting Disclosures by BA that are not for TPO Underage pregnancy reporting Communicable disease reporting ***It must be tracked if the disclosure was verbal, electronic, or by paper.
What must a CE or BA do in the event a breach is confirmed?
The CE and BA have 60 days from the discovery date of the breach to notify the secretary of health and human services, individuals whose PHI was involved, and sometimes the media. The CE and BA must notify the individuals whose PHI was breached within 60 days, as well as the media. The timeframe the CE and BA have to notify the HHS varies depending on severity. It can be as short as 60 days and as long as within 60 days after the end of the calendar year in which the breach took place (example, breach took place 1/1/2021, would require notification by 3/2/2022)
What happens if an amendment request is approved?
The CE identifies the info that needs to be amended and changes it. The CE contacts the patient to inform them which amendment requests were accepted and asks the patient for a list of all individuals and entities that need the corrected health record. The patient must sign a release of info form authorizing the covered entity to send corrected copies to those identified by the patient.
What is the time frame a CE has to respond to an amendment request?
The CE must respond to the amendment request within 60 days with an outcome of the request. The CE is allowed a single 30 day extension if they cannot respond within the original time frame, the CE must inform the individual in writing of the extension and include an explanation for the extension.
What is the timeframe a CE or BA has to comply with a request for accounting of disclosure from a patient?
The CE or BA must respond within 30 days, with a single 30 day extension provided if the accounting will take longer to obtain, the patient must be notified in writing if an extension is required. the disclosure must contain" date of disclosure. name and address of person or entity receiving the info. statement of purpose of disclosure.
What happens if an amendment request is denied?
The CE sends an explanation of denial in writing, informing the patients of their rights and future options.
What must be provided to a patient from the CE in the event that access to PHI is denied?
The denial must be written in clear and concise language and must inform the individual that they can review the denial. it must provide contact information as well as a method to register a complaint with the CE. The patient must also be informed of their right to complain to the US Secretary of Health and Human Services about the denial.
What are some reasons an amendment request may be denied?
The error was not created by the CE The documentation containing the error is not part of the DRS The error is not part of the PHI available for inspection. The info is accurate or complete as it stands.
What happens after a patient requests an amendment to their medical record?
The request is forwarded to the attending physician for review, the physician reviews the request and the data in the health record and either grants or denies the amendment.
What is a breach?
The unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information.
T or F: If a breach affects fewer than 500 individuals, the secretary of thealth and human services must be notified within 60 days after the end of the calendar year in which the breach occurred?
True
T or F: If a patient's request for amendment has been denied, the patient can file a complaint with HHS through the Office for Civil Rights (OCR), but it is not guaranteed that the OCR will act.
True
T or F: If an individual working for a covered entity unintentionally accesses PHI, that is not a reportable breach.
True
T or F: Individuals have the right to access their own health information?
True
T or F: The key to healthcare operations is the use of treatment, payment and operations (TPO)?
True
T or F: The name and address of the entity or person who received the PHI, if known, must be included for each accounting of disclosure?
True
True or False? The covered entity provides a Notice of Privacy Practices to every individual requesting information in multiple languages common to the area.
True
T or F: A BA or CE must respond to an individual's accounting of disclosure request within 60 days of receipt?
True.
T or F: A breach must be reported to the media if it affects more than 500 individuals?
True.
T or F: Disclosures for treatment, payment, and healthcare operations (TPO) can be legally excluded from an accounting of disclosures?
True.
T or F: If the breach impacts more than 500 individuals, the CE or BA must submit a breach notification form through the Office of Civil Rights (OCR) portal for reporting purposes?
True.
T or F: If the CE or BA can show there is a low risk that PHI was compromised, it may not be considered a breach?
True. Because breaches only included unsecured PHI, if the CE or BA can prove that the PHI was secured and there's a low risk that the info was actually obtainable, there is no breach.
Is it a requirement that a patient be given an NPP?
Under HIPAA the CE must provide a copy of the NPP to the patient at admission, or annually in a practice. The NPP must be provided in the languages read and spoken in the patients community, it must be posted in an easily accessible place within the organization, and must be on the organizations website.
What are 3 exceptions that would exclude a situation from being a "breach"?
Unintentional acquisition, access, or use of protected health info by an employee or individual acting under a CE or BA (example: grab wrong info off a printer) Any inadvertent disclosure by a person who is authorized, to another person who is authorized. (example: co-workers in the same healthcare facility) Unauthorized disclosures in which the unauthorized person would not reasonably retain the info.
Disclosure means the ______ of confidential and privileged quality assurance record, documents or information contained in them to any individual or organization in any form or means. select all that apply:
communication, transmission, conveyance.
An attorney calls County Hospital to request records for a patient, Roger, who was seen in the Emergency Department because of a severe cut to his lower left leg. However, the attorney does not have a subpoena or a court order for these records. County Hospital has a company that takes care of releasing copies of Roger's medical records to the attorney. While an employee is preparing the records, she realizes that there Roger has not signed a release of information authorizing the release of his PHI. She informs the attorney that she will not be sending the information to them. The release of information company is protecting Roger's right to __________.
confidentiality
What is an "accounting of disclosures"?
something a patient can request under HIPAA from a CE or BA, it lists all non-TPO situation disclosures, what was disclosed, and to whom it was disclosed.
